Lab 3 - Web Application Security

Introduction

The purpose of this assignment is to explore vulnerabilities and protection methods in web applications.

In this lab, you are going to locate and exploit a Cross-Site Scripting (XSS). Using this vector, you will get administrator access to the system by a cookie hijacking attack. Once in the administration pages, you will find and exploit a SQL-injection to gain code execution.

The web application

The web application used in this lab is from PentesterLab and represents a CMS blogging platform. It is a bootable CD in ISO format that you can boot from in your VirtualBox, VMware or QEMU:

Depending of your virtual machine configuration, you might create a port redirection to the virtual host tcp/80 port.

The system includes a PhantomJS script that simulates an administrator visiting every page of the website every minute.

Note: All attacks can be launched from the client side only simply using a browser. You are not allowed to look at the application code on the server itself (just like in reality).

Part 1: Cross-Site Scripting (XSS)

Your objective is to find an XSS vulnerability to perform a Session Hijacking attack and gain administration clearance in the web application.

In the report you should include:

The administration interface is under the admin link on the main page.

If you need a server to capture the leak you can do one of the following:

Note: Solutuions with visible traces (such as broken images) are not valid.

Extra: Can you come up with a possible patch for the website code?

Part 2: SQL Injection

Your objective is to find an SQL-Injection vulnerability in the web application and to exploit in a way that the server makes your requests to the database.

In the report you should include:

Hint: A possible webshell is <?php system($_GET['c']);?>

Extra: Your admin access might expire in the near future. How can you get future access without changing the administrator password? What do you suggest to mitigate this vulnerability in particular?

Links

Report