Lab-7-2

(2.5% of the course mark)

Security Testing of DAMN VULNERABLE WEB APPLICATION (DVWA) using Burp Suite Community Edition

• This lab introduces students to web application security testing using DVWA and Burp Suite Community Edition. Learners will explore common web vulnerabilities and practice intercepting, analyzing, and manipulating HTTP traffic to identify and exploit security flaws.

Lab objectives

• Configure Burp Suite with a browser for intercepting DVWA traffic.

• Identify and exploit common web vulnerabilities. ie: SQL Injection, XSS, CSRF, and Command Injection.

• Perform request interception and response analysis.

• Understand the impact of insecure authentication and session management.

• Demonstrate manual testing techniques using Burp Suite tools ie: Proxy, Repeater, and Decoder.

• Analyze and document vulnerability findings and suggest remediation.

Local XSS Hack

1. Create folder named: xss-hack on your computer.

2. Open Visual Studio Code and open the xss-hack folder.

3. Create a file named: xss.html and copy the code below.

<!DOCTYPE html>
<html>
  <head>
    <title>XSS Demo</title>
    <script defer>
      const credentials = { username: "my-username", password: "my-password" };

      // Saving the credentials to local storage, this is supposed to be secure
      localStorage.setItem("credentials", JSON.stringify(credentials));
    </script>
  </head>
  <body>
    <h1>XSS Test</h1>

    <input id="comment" placeholder="Type your comment" />
    <button onclick="postComment()">Post</button>

    <div id="comments"></div>

    <script>
      function postComment() {
        const comment = document.getElementById("comment").value;

        // Do not do this on prod systems, unless the input is sanitized
        document.getElementById("comments").innerHTML += `<p>${comment}</p>`;
      }
    </script>
  </body>
</html>

4. Right click on xss-hack.html and choose Open with Live Server.

5. On the comments text box, enter the code below and click on Post.

<img
  src="x"
  onerror="alert('XSS Hack: ' + localStorage.getItem('credentials'));"
/>

6. An alert box should appear, which displays the username and password stored from local storage. Take a screenshot of the alert box and name them xss-hack.png.

DVWA app Setup

1. Start the Docker Desktop app.

2. Verify the Docker Desktop app by typing the following commands below to the terminal.

docker version

docker compose version

info

Ensure that there are no errors when you type the commands, if there is ensure that the Docker Desktop app is installed and running.

3. Download and extract the DVWA app.

4. Open Visual Studio Code and open the folder of the directory where the folders and files were extracted.

5. Navigate to: DVWA-master.

6. Open the terminal and ensure that it on the root folder of DVWA-master.

7. Type the command below and press enter.

docker compose up -d

8. Test the DVWA app installation by using a browser and navigating to: http://localhost:4280.

Initialize DVWA app

1. Open a browser and navigate to: http://localhost:4280.

2. Login with Username: admin and Password: password.

3. Scroll down and click on the Create / Reset Database button. This should log you off.

4. Login once again with Username: admin and Password: password.

5. Scroll down and click on DVWA Security and set the Security Level to Low.

info

• The security level changes the vulnerability level of DVWA:

  • Low - This security level is completely vulnerable and has no security measures at all. It's use is to be as an example of how web application vulnerabilities manifest through bad coding practices and to serve as a platform to teach or learn basic exploitation techniques.

  • Medium - This setting is mainly to give an example to the user of bad security practices, where the developer has tried but failed to secure an application. It also acts as a challenge to users to refine their exploitation techniques.

  • High - This option is an extension to the medium difficulty, with a mixture of harder or alternative bad practices to attempt to secure the code. The vulnerability may not allow the same extent of the exploitation, similar in various Capture The Flags (CTFs) competitions.

  • Impossible - This level should be secure against all vulnerabilities. It is used to compare the vulnerable source code to the secure source code.

DVWA Manual Testing

1. Open a browser and navigate to: http://localhost:4280.

2. Login with Username: admin and Password: password.

3. Click on Command Injection.

4. Enter each of the following injected commands below and click on Submit. Take a screenshot of the results and name them command-injection01.png and command-injection02.png.

127.0.0.1;cat /etc/passwd

127.0.0.1;ls -la ../../../../../

info

• The original intent of the textbox is for the user to enter an IP address to be pinged. However, due to insufficient input validation, it is possible to inject additional system commands beyond the expected IP address.

127.0.0.1;cat /etc/passwd

• The command cat /etc/passwd means open the passwd file.

127.0.0.1;ls -la ../../../../../

• The command ls -la ../../../../../ means display a list of file and folders including hidden file / folders on the root directory.

5. Click on SQL Injection.

6. Enter the following sql injected command below and click on Submit. Take a screenshot of the results and name it sql-injection.png.

admin' OR '1'='1

info

• The original intent of the textbox is for the user to enter a user ID. However, due to insufficient input validation, it is possible to inject additional SQL commands beyond the expected input. For example, since the condition 1=1 is always true, the SQL statement will evaluate to true, potentially exposing unintended data or bypassing authentication.

7. Click on XSS Reflected.

8. Enter the following code below and click on Submit. Take a screenshot of the results and name it xss-reflected.png.

<script>
  alert("XSS");
</script>

info

• The original intent of the textbox is for the user to enter a name. However, due to insufficient input validation, it is possible to inject additional JavaScript code beyond the expected input, leading to a security vulnerability.

9. Click on Authorisation Bypass.

10. Copy the url of this page: http://localhost:4280/vulnerabilities/authbypass.

11. Logout and Login with Username: gordonb and Password: abc123.

12. The Authorisation Bypass link should not be visible.

13. Navigate to the url that was copied on step 10. Take a screenshot of the results and name it authorisation-bypass.png.

info

• The functionality protected by authorization should only be accessible to admin users. However, due to poor access control, even users without admin privileges can access the page simply by entering the Authorisation Bypass url.

DVWA Security Testing with Burp Suite Community Edition

1. On GBC D2L, download and watch Burp-DVWA.mp4. This video demonstrates how to perform a brute force attack on Burp using a password file.

2. Follow the Burp-DVWA setup in the video and configure a brute force attack on the DVWA login form. Take a screenshot of the results and name it burp-brute-force.png.

Submission

1. Create a folder named submit.

2. Copy all (xss-hack.png, command-injection01.png, command-injection02.png, sql-injection.png, xss-reflected.png, authorisation-bypass.png and burp-brute-force.png) the previously saved screenshots to this folder.

3. Create a zip file of this folder.

4. Navigate back to where the lab was originally downloaded, there should be a Submissions section (see below) where the zip file can be uploaded.