Day 4
In Kali
39. Use Firefox to browse to the DVWA running on Win2008R2 on Port 8080.
http://192.168.16.125:8080/dvwa-1.9 Replace the IP address with the IP
address of your Win2009R2 image
40. Login with username “admin” and password “password”.
41. You can click on Instructions in the left hand menu to view the README.
42. Click on DVWA Security. Set the security level to low and click Submit.
Exercise 4. Reflected Cross-Site Scripting
Description:
Reflected cross-site scripting can happen when user input is displayed on the results page.
In Kali
43. In DVWA, in the left hand menu, click on XSS (reflected).
44. Type any string into the textbox and click Submit. What you typed will be displayed.
45. Now type the following into the textbox and click Submit.
<script>alert("haha");</script>
You should see a popup with the word "haha".
46. Click the View Source button in the lower right corner. Note that whatever the user enters
is stored in the variable ‘name’ and displayed in the echo command.
47. In the left menu, click on DVWA Security and set the security level to high.
Page 8 of 22
�Day 4
48. Repeat entering the following into the textbox and click Submit.
<script>alert("haha");</script>
This time the script is not run, so no pop-up appears.
49. Click the View Source button. When the Security Level is High, the user input is sanitized
by passing it through a special function called preg_replace. The function preg_replace will
replace the string “<script” with an empty string, so the script is not run.
50. In the left menu, click on DVWA Security and set the security level back to low.
51. Type the following in the textbox and click Submit.
<script>document.location="https://www.google.com"</script>
The Web Browser will execute the script and you will be redirected to Google.
Note : Some of the newer web browsers will actively filter out XSS.
Exercise 5. Stored Cross-Site Scripting
Description:
Stored cross-site scripting can happen when user input is stored at the web server and
displayed on web pages to other users.
In Kali
52. In DVWA, check that the Security Level is Low (the security level is displayed in the
bottom left corner of the web page).
53. In the left hand menu, click on XSS (stored).
54. Type a name in the Name textbox.
Type the following for the Message and click Sign Guestbook.
<script>alert("haha");</script>
Now every time anyone clicks on XSS(Stored) to see the Guestbook, the popup will
appear.
55. To reset the database, click on Setup / Reset DB and click Create/Reset Database.
Page 9 of 22
�Day 4
56. Click on XSS (Stored).
57. For Name, type “Members”.
Type the following for the Message and click Sign Guestbook.
<input type="submit" value="Members, click here">
A fake button has been created. A hacker may create a fake button that will lead to his
website if visitors, who are not careful, click on his button.
58. To reset the database, click on Setup and click Create/Reset Database.
Exercise 6. Cross-Site Request Forgery (CSRF)
Description:
Cross-site request forgery can happen when user is currently logged in to a trusted site and the
attacker causes the user's browser to send an unwanted request to the trusted site.
In Kali
59. In DVWA, check that the Security Level is Low (the security level is displayed in the
bottom left corner of the web page).
60. In the left hand menu, click on CSRF.
61. Check that the Security Level is Low (the security level is displayed in the bottom left
corner of the web page)
62. Right-click anywhere in the form and select View Source. The HTML source of the page
will be displayed in a window.
63. Scroll down until you see the form for entering the new password. Note that the form
method is “GET” which means the user input will be passed through a query string in the
URI.
<h3>Change your admin password:</h3><br>
<form action="#" method="GET">
64. Close the Source Code window.
65. Enter “password” for the New and Confirm password, and click Change.
66. Take note of how the new password values are passed in the URI textbox (see following
diagram).
Page 10 of 22
� Day 4
67. Click on Applications menu, Favorites, Leafpad, to start a text editor. Create a new file
“csrf.html” with the following contents.
Change to the IP of your
Win2008R2 image
This is a very new web page.
<img width="1" src=”http://127.0.0.1:8080/dvwa-
1.9/vulnerabilities/csrf/?password_new=12345678&password_conf=1234
5678&Change=Change”>
The image width is set to 1 so The image source is set to the URI
it won’t get noticed on the displayed when you changed the admin
displayed web page. password. Change the password_new
and password_conf to a new value like
“12345678”
68. Save the csrf.html file. (You can save it to the Desktop of your Kali)
69. While you are still logged in to the DVWA website, double-click on the csrf.html file so that
it opens up in a web browser. The web browser will automatically load the link associated
with the image and cause your DVWA admin password to be changed.
70. In the DVWA website, click on Logout.
71. Try to login again as user “admin” and password “password”. You are not able to login as
the password has been changed to “12345678” when the csrf.html was loaded.
The hacker may try to send phishing emails to users to get back to click on his web links
to pages with such CSRF attacks.
72. Login to DWVA. Click on CSRF and change the password back to “password”.
73. Set the Security Level to High.
74. Click on CSRF and click on View Source.
When the Security Level is High, the web application checks for a session token before
password change is allowed.
75. Set the Security Level to Impossible.
76. Click on CSRF.
For better security, the user should be asked to enter his current password before
password change is allowed.
Page 11 of 22
�Day 4
Exercise 7. Command Injection
Description:
The DVWA web application allows the user to ping another system. However, it can also be
used to execute other commands.
In Kali
77. In DVWA, set the Security Level to Low.
78. In the left hand menu, click on Command Injection.
79. Type in the IP of your Kali image or other image. The results of the ping will be displayed
after a few seconds.
80. Type in an IP, followed by " && dir c:\" (see diagram) and click Submit.
You will see the directory listing of the C drive of the Win2008R2 server.
A hacker could potentially run commands to read files, delete files, add users, etc.
Exercise 8. SQL Injection
In Kali
81. In DVWA, check that the Security Level is Low.
82. In the left hand menu, click on SQL Injection.
83. For the User ID, type in "1", "2", "3", etc, to see the user details displayed.
The SQL statement for retrieving the user record is probably something like the following :
select firstname, surname from user where userid = '$id'
So when you type 1 for the User ID, the SQL statement becomes:
select firstname, surname from user where userid = '1'
84. Type in the following for the User ID (see diagram).
ppp' or '0' = '0
The SQL statement now becomes
select firstname, surname from user
where userid = 'ppp' or '0' = '0'
Page 12 of 22
�Day 4
The SQL statement will retrieve all the users from the database table so you will see a list
of all the users displayed.
85. Can we get more information about the users? There should be a database table
containing the user information. What would be the name of this database table containing
user information?
Let’s assume the database table name is “user”.
86. Type in the following for the User ID.
ppp' or '0' = '0' union select userid, user from user #
The SQL statement now becomes
select firstname, surname from user where userid = 'ppp' or '0' =
'0' union select userid, user from user #'
The # sign in MySQL means to treat the rest of the line as a comment.
However, we get an error message that the table “dvwa.user” does not exist. So the name
of the database table is not “dvwa.user”.
Let's try the database table name "users".
87. Type in the following for the User ID.
ppp' or '0' = '0' union select userid, user from users #
Now the error message is that the column “userid” is unknown. Let's try “user_id” for the
column name.
88. Type in the following for the User ID.
ppp' or '0' = '0' union select user_id, user from users #
This time we got it right. Records displaying the User IDs and Users are displayed at the
end.
List of User IDs
and Users from
the second
select query
Page 13 of 22
�Day 4
89. Can we display passwords?
Type in the following for the User ID.
ppp' or '0' = '0' union select user_id, password from users #
Hashed passwords are now displayed.
Hashed password for
How can we crack the hashed passwords?
90. Create a new text file and on a single line, enter the User ID, followed by a colon, and
then copy the hashed password. Repeat for the other users (see following diagram).
91. Save the file as passwd.txt.
Exercise 9. Password Cracking using John the Ripper
Description :
John the Ripper is a popular password cracking tool that runs on Linux.
In Kali
92. Try using John the Ripper to crack the hashed passwords in your passwd.txt file.
Specify the path to your passwd.txt
Suggested
hashed
password
formats
93. If John the Ripper does not seem to return any results, press Control-C to stop it.
Page 14 of 22
�Day 4
94. Try running John the Ripper with the various suggested hash formats. (Hint : try the raw-
md5 format)
john --format=raw-md5 /root/password.txt
When the right password hash format is used, John the Ripper can crack the password hashes
very quickly.
If the password hash format is not known, John the Ripper will try all formats. It will eventually
crack the passwords, but it may take a long time.
Exercise 10. Path Inclusion
Description :
In Path Inclusion vulnerabilities, the path to the web resources on the web server are displayed.
This can give potential attackers information about how web pages and other resources are
stored on the web server.
In Kali
95. In DVWA, set the Security Level to Low.
96. In the left hand menu, click on Path Inclusion.
97. Change the URL to request for a non-existent page. For example, you may change
“include.php” to “include2.php”, so your URL may look like the following :
Change “include.php”
to “include2.php”
98. Note that the displayed error message contains information about the full path to the page
– c:\xampp\htdocs\DVWA-1.9”.
Can we change the URL to browse to other files on the web servers?
99. Change the URL to the following to view the configuration file of the Apache Web Server.
100. While the format of the config file may not seem easy to read at first glance, an
experienced attacker will save the file and view it using the correct text viewer to find
important information.
101. Change the DVWA Security level to High and repeat the request for a non-existent page.
This time, the error message does not give away any information about the path or pages
on the web server.
Page 15 of 22
