Damn Vulnerable Web Application - Part 1

The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA.

Step By Step Installation

1) Requirement : 
  • Windows system for Managing VM
  • Virtual Box (Link) or VMware (Link) should be installed on system
  • Kali-ISO (Link)
  • DVWA ISO (Link)
2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting). 

3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command.

4) Run Kali machine and DVWA machine Parallelly.

5) Open Kali Machine and Enter DVWA ip address into Browser to get GUI, Below is the Snapshot for Welcome Page 



5) By default Credentials :
  • Username:  admin
  • Password: password
6) We login Successfully and now we can see the List of Challenges, Total there are 9 Challenges which we need to Exploit. 

7) DVWA is Categorized into three Levels such as Low, Medium and High, Initially we will Start by Keeping the Difficulty level as Low Displayed in Screenshot below



Step By Step Walk-through

A) Challenge 1: Brute Force 
 
  • In this challenge we have to find out whether it has been vulnerable to Brute Force Attack and IF yes, then Find out the Username and Password.
  • We required a Tool here to Capture the Request-Response transactions of Web Application, We used Burpsuite Here to exploit this Vulnerability.
  • Open Burpsuite and Set Proxy to 127.0.0.1:8080
  • Open Browser Setting and set proxy to localhost:8080 
  • Enter any credentials and capture those Packets in Burpsuite under Proxy tab, just forward it to Intruder (note down error reply which has to be entered in Grep-Match field)
  • Analyze the Request and find Username and Password text filed enclosed with $___$
  • Mark username and Password Field with $ symbol.

  • Select Attack Type = Cluster Bomb, Upload Payload 1 and 2 
  • Under Option tab Set Grep-Match as Incorrect
  • Hit Button => Start Attack
  • After Matching the Every Payload Entries, Burpsuite gives Username & password (Observes untick on Grep Field)
  • Obtained Username and Password is "admin"& "password"  
 
B) Challenge 2: Command Execution 
 
  • Command injection is an attack in which User Enters arbitrary commands on the host operating system via a vulnerable application.
  • As we can See the Text Box in the challenge, we have to Enter commands such that it will returns System Information.
  • Simply Submitting localhost address it gives the output as shown in below image: 


  • Our task is to Enter Commands in such a way to get Important information from Targeted Network
  • lets try hitting command, 127.0.0.1; uname -a 

  • Try with, 127.0.0.1; cat/etc/passwd

  • Similarly we can try as many Linux commands in order to get the Valuable information out of it. eg:- 127.0.0.1; ls or 127.0.0.1; cat /etc/group
 
 C) CSRF 

  • Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
  • In DVWA-CSRF attack User tries to change the password but Man-in-The-Middle will capture those Request and modifies Password fields with their Own password.
  • Firstly User will tries to Enter New password and Hits on Change Button.

  • Secondly, Burpsuite will Capture the Request and Alters it as shown in image below : User enters Password as validuser:validuser but we edited as hacker:hacker.
  • Query Submitted by Middle-Man will executed Successfully.
  •  when the Authenticated User tries to Change Password again it throws Error message because data stored in database will be the password entered by Middle-man not by the Valid User.
  • Acknowledgement show to User as "Password Changed", shown below



D) File Inclusion


  • Remote File Inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in vulnerable web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.
  •  LFI : LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.
  •  The “../” characters used to represent a directory traversal. The number of “../” sequences depends on the configuration and location of the target File on the victim machine. Some experimentation may be required. 
  • We can try as many commands to exploit LFI such as :– /etc/issue , /proc/version , /etc/profile , etc and many more.


RFI : Instead of accessing a file on the local machine, the attacker is able to execute code hosted on their own machine or Redirect through external Link. example as below : 


  • We can Also create our own Malicious Web page and Exploit using Metasploit, step by step manual is here.

Next 5 challenges of DVWA are SQL injection,XSS and Upload which i will be explaining in my next blog, till then

STAY TUNED....

Comments

Popular posts from this blog

RTR using Falcon Crowdstrike

Top Commands Mostly Used By System Administrator.

SECURITY OPERATION CENTRE

Cyber Threat Intelligence

Collective Intelligence Framework v3 - Part 1

Top 20 Subdomains Search Engines

Collective Intelligence Framework v3 - Part 2

Security Architecture for Startup

TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike