Lab 3 - Web Application Security


The purpose of this assignment is to explore vulnerabilities and protection methods in web applications.

In this lab, you are going to locate and exploit a Cross-Site Scripting (XSS). Using this vector, you will get administrator access to the system by a cookie hijacking attack. Once in the administration pages, you will find and exploit a SQL-injection to gain code execution.

The web application

The web application used in this lab is from PentesterLab and represents a CMS blogging platform. It is a bootable CD in ISO format that you can boot from in your VirtualBox, VMware or QEMU:

Depending of your virtual machine configuration, you might create a port redirection to the virtual host tcp/80 port.

The system includes a PhantomJS script that simulates an administrator visiting every page of the website every minute.

Note: All attacks can be launched from the client side only simply using a browser. You are not allowed to look at the application code on the server itself (just like in reality).

Part 1: Cross-Site Scripting (XSS)

Your objective is to find an XSS vulnerability to perform a Session Hijacking attack and gain administration clearance in the web application.

In the report you should include:

The administration interface is under the admin link on the main page.

If you need a server to capture the leak you can do one of the following:

Note: Solutuions with visible traces (such as broken images) are not valid.

Extra: Can you come up with a possible patch for the website code?

Part 2: SQL Injection

Your objective is to find an SQL-Injection vulnerability in the web application and to exploit in a way that the server makes your requests to the database.

In the report you should include:

Hint: A possible webshell is <?php system($_GET['c']);?>

Extra: Your admin access might expire in the near future. How can you get future access without changing the administrator password? What do you suggest to mitigate this vulnerability in particular?