Introduction
The purpose of this assignment is to explore vulnerabilities and protection methods in web applications.
In this lab, you are going to locate and exploit a Cross-Site Scripting (XSS). Using this vector, you will get administrator access to the system by a cookie hijacking attack. Once in the administration pages, you will find and exploit a SQL-injection to gain code execution.
The web application
The web application used in this lab is from PentesterLab and represents a CMS blogging platform. It is a bootable CD in ISO format that you can boot from in your VirtualBox, VMware or QEMU:
- xss_and_mysql_file_i386.iso (32-bit, 178M, MD5: c9c7a31ab9bf79b82b72b58bb0a3a657)
The system includes a PhantomJS script that simulates an administrator visiting every page of the website every minute.
Note: All attacks can be launched from the client side only simply using a browser. You are not allowed to look at the application code on the server itself (just like in reality).
Part 1: Cross-Site Scripting (XSS)
Your objective is to find an XSS vulnerability to perform a Session Hijacking attack and gain administration clearance in the web application.
In the report you should include:- Describe the XSS vulnerabilitie(s) you found
- A step-by-step description of the attack that you have designed to hijack the administrator session information.
- A recommendation on how this issue should be fixed
- Include a comprehensive discussion of countermeasures. Give use cases for each countermeasure and discus how they can be deployed for the scenario of the lab:
- server-side
- client-side
The administration interface is under the admin link on the main page.
If you need a server to capture the leak you can do one of the following:- Send your requests to http://requestbin.fullcontact.com/
- Run a server using the command: socat TCP-LISTEN:80,reuseaddr,fork - or quickly write a simple server with for example Nodejs.
Note: Solutuions with visible traces (such as broken images) are not valid.
Extra: Can you come up with a possible patch for the website code?
Part 2: SQL Injection
Your objective is to find an SQL-Injection vulnerability in the web application and to exploit in a way that the server makes your requests to the database.
In the report you should include:- A description of all SQL-injection vulnerabilities you've found. What's the root of the problem?
- Exploit the FILE privilege of the blog user to read the /etc/passwd file.
- Find a writing directory and inject a webshell to get remote execution in the server. Explain the webshell.
- A recommendation on how this issue should be fixed.
- Include a comprehensive discussion of countermeasures. Give use cases for each countermeasure and discus how they can be deployed for the scenario of the lab:
- web application itself
- database system
- operating system
- security configuration of the above
Hint: A possible webshell is <?php system($_GET['c']);?>
Extra: Your admin access might expire in the near future. How can you get future access without changing the administrator password? What do you suggest to mitigate this vulnerability in particular?
Links
- XSS warm-up exercise with cake at the end (by Artur Janc, Google)
- XSS and SQL injection tutorial.
- Advanced SQL Injection, Chris Anley, NGSSoftware, 2002
- Cross-Site Scripting - OWASP
Report
- Please, submit a report that includes your answers from part 1 & 2.
- Since we want you to learn something, the report should demonstrate that you have understood the attacks and the respective defense mechanisms, and not just copy-pasted from a different source.
- Beware that the web is a moving target, many sources become outdated fast.
- Submissions with poor discussion of countermeasures will be rejected.