The purpose of this assignment is to explore vulnerabilities and protection methods in web applications.
In this lab, you are going to locate and exploit a Cross-Site Scripting (XSS). Using this vector, you will get administrator access to the system by a cookie hijacking attack. Once in the administration pages, you will find and exploit a SQL-injection to gain code execution.
The web application
- xss_and_mysql_file_i386.iso (32-bit, 178M, MD5: c9c7a31ab9bf79b82b72b58bb0a3a657)
The system includes a PhantomJS script that simulates an administrator visiting every page of the website every minute.
Note: All attacks can be launched from the client side only simply using a browser. You are not allowed to look at the application code on the server itself (just like in reality).
Part 1: Cross-Site Scripting (XSS)
Your objective is to find an XSS vulnerability to perform a Session Hijacking attack and gain administration clearance in the web application.In the report you should include:
- Describe the XSS vulnerabilitie(s) you found
- A step-by-step description of the attack that you have designed to hijack the administrator session information.
- A recommendation on how this issue should be fixed
- Describe mitigation and protection mechanisms:
- who controls these mechanisms?
- where are they deployed?
The administration interface is under the admin link on the main page.If you need a server to capture the leak you can do one of the following:
- Send your requests to http://requestb.in/
- Run a server using the command: socat TCP-LISTEN:80,reuseaddr,fork - or quickly write a simple server with for example Nodejs.
Note: Solutuions with visible traces (such as broken images) are not valid.
Extra: Can you come up with a possible patch for the website code?
Part 2: SQL-Injection
Your objective is to find an SQL-Injection vulnerability in the web application and to exploit in a way that the server makes your requests to the database.In the report you should include:
- A description of all SQL-injection vulnerabilities you've found.
- Make a sophisticated guess about the structure of the vulnerable SELECT query in the application code.
- Exploit the FILE privilege of the blog user to read the /etc/passwd file.
- Find a writing directory and inject a webshell to get remote execution in the server. Explain the webshell.
- A recommendation on how this issue should be fixed.
- A general discussion on possible server-side protection mechanisms:
- database system
- operating system
- web application itself
Hint: A possible webshell is <?php system($_GET['c']);?>
Extra: Your admin access might expire in the near future. How can you get future access without changing the administrator password? What do you suggest to mitigate this vulnerability in particular?
- XSS warm-up exercise with cake at the end (by Artur Janc, Google)
- XSS and SQL injection tutorial.
- Advanced SQL Injection, Chris Anley, NGSSoftware, 2002
- Cross-Site Scripting - OWASP
- Please, submit a report that includes your answers from part 1 & 2.
- Since we want you to learn something, the report should demonstrate that you have understood the attacks and the respective defense mechanisms, and not just copy-pasted from a different source.
- Beware that the web is a moving target, many sources become outdated fast.
- Submissions with poor discussion of protection will be rejected.