Web Applications Introduction

Overview

The purpose of this activity is to get you acquainted with the overall layout of several web applications. You will also be gettting familiar with our testbed for the Fuzzer project.

Setup Options

This activity is easier for groups of 2-3 people than by yourself.

You may want to do the activity in Firefox since Chrome has some built-in protecion mechanisms.

To get this environment set up, you have these options:

  • Windows Portable Zip.
    • Pro: The simplest, most reliable option.
    • Con: Requires Windows
    • We recommend this option if you are in the SE labs or if you have a Windows device
  • RLES Setup
    • Pro: If you have a Mac or Linux, or you just don’t want to install anything locally
    • Con: Requires a reliable internet connection
    • Con: Not much is installed on the VM, so if you need more, you will need to install it yourself.
  • Docker installation
    • Con: Docker is beautiful when it works, and quite painful when it doesn’t
    • Pro: Learning Docker is a good use of your time, even if it’s not an objective of this course – but make sure you have the time available to learn about it on your own.
    • Pro: Your Fuzzer project will interact directly with this exact image, so your environments will match up perfectly
  • Install Apache + MySQL + DVWA yourself
    • Con: Takes the longest, you’re on your own (although your instructor can usually help you), you’re learning things about computers not directly related to this course
    • Pro: Still is a good use of your time. Learning how to install a PHP application with a database and web server is a very useful skill.

Windows Portable Zip Setup

  1. Download our XAMPP portable installation. It’s a ~250mb zip file you can download from myCourses under Content > DVWA Web App
  2. Unzip it
    • We recommend using 7-zip if you have it - much faster than Windows unzip.
    • For Windows, to minimize your editing of config files, we suggest unzipping into c:/xampp, so your install path, once unzipped is c:/xampp/xampp-portable/.... Having spaces in the filenames can sometimes mess things up. When this project is done, you can simply delete the folder with no side-effects anywhere else on your system (that’s what it means for this to be a portable installation)
  3. Go to your unzipped XAMPP directory, and run setup-xampp.bat. This will open up a console and go through a couple of tests. It will eventually ask you if you want to “refresh” (option 1). Take that option, and the setup will finish. (Yes, you may see some German in there too.)
  4. Start the XAMPP server processes. There are two ways:
    • Run apache_start.bat and mysql_start.bat from Explorer. Close the console windows when you’re done. OR
    • Use xampp_start.exe and xampp_stop.exe. Run these from a Command Prompt.
    • IMPORTANT NOTE: some of these may ask for administrator privileges to open up the firewall, do not allow! Even if you’re on your own machine, you don’t want to expose your local machine as a server to vulnerable web applications. As it runs, XAMPP will ask for administrator access - hit Cancel to that (even if you’re on your own machine - no need to expose yourself as a server on the network).

RLES Setup

RLES is a cluster of servers that host virtual machines that you can connect to.

  1. Sign into https://rlescloud.rit.edu/ using your RIT username and password.
  2. Request a “Windows 10 machine on the NAT network”
  3. Wait until the server is provisioned. This can take a few minutes
  4. Connect to your machine remotely.
    • Once your machine is powered on, on the Deployments page, click on the gear next to your image. RLES Gear icon
    • You’ll see options like “Connect to Remote Console”, which connects you using the browser. RLES supports a variety of ways of connecting remotely - use what makes sense to you.
    • Sometimes your browser will block the connection as a pop-up - be sure to check that if nothing happens after you attempt to connect.
  5. Once you connect, you will need a password to the “Student” user, which is “student”.
  6. Once you are in your new machine, go to myCourses within that machine and download xampp-portable.zip from the Content section. Follow the above steps for Windows.

Docker

Docker is a containerization tool for setting up virtual environments without using a full virtual machine. It is popular in build servers for Continuous Integration, Continuous Delivery situations.

If you are brave enough to put up with Docker, you can get our image from DockerHub. Use this command:

docker run --rm -it -p 80:80 andymeneely/swen331fuzzer

In our Fuzzer project, we will be running your tests against this Docker image in the continuous integration service.

Note: Docker is beautiful and easy when it works, and painful if it doesn’t. It can mess with other virtualization software you have installed and can be complex. Learning how to install and configure Apache, MySQL, and DVWA is not a waste of your time either - you’ll learn about how web works that way too. But – you will need to do most of it on your own!

Your Own Setup

Many students in past have installed Apache, MySQL, and DVWA locally. Here are some useful resources for that:

Activity

Once you’ve got the environment set up,

  1. Create a Google document with the title “Web Application Vulnerabilities”. Share with your group members. Optional: Share it with your instructor and course assistant.
  2. Start up a browser and go to http://127.0.0.1 (Note: http://localhost will not always work with this setup, but it might work). Note the passwords for the various intentionally-vulnerable apps.
  3. Log in to Damn Vulnerable Web Application. This is an interactive site for learning how to exploit various web application vulnerabilties.
  4. Go to DVWA Security, and change the security level to “low”.
  5. Go to Setup, and hit “Create/Reset Database”
  6. Go to SQL Injection, and construct an exploit for returning all user names in the table. Here are a few hints:
    • Start by just trying to guess one user ID to get this function to work properly
    • Try to force a MySQL syntax error. You know you’re on the right track if you get this error!
    • Challenge yourself to not look at the source code and construct your exploit blindly. But, if you get stuck, you can view the PHP source. Copy the query into a text editor and replace $id with the text needed for a query that returns all rows in a table.
  7. In your document, answer the following:
    • As a tester, how would you know that a potential SQL injection vulnerability exists?
    • As a code reviewer, what should you be looking for to avoid SQL injection?
    • Construct an exploit that does more than just lists usernames. Provide that exploit in your GoogleDoc.
    • Switch the DVWA to “medium”. Does your exploit still work? Make another one that does work.
    • Take a look at the solution for “high” security. Under what conditions might SQL injection still work?
  8. Switch the security level back to “low”.
  9. Now let’s practice XSS. Go to XSS reflected and attempt a simple XSS (as demonstrated in class). Answer the following in your document:
    • How might a tester recognize a XSS vulnerability?
    • Use the Developer Tools in the browser to modify the maximum length of the input fields for XSS. Why does this work? How might you prevent larger inputs if you were the developer?
    • Switch the security level to “medium”. Construct a XSS exploit that will work under “medium” security. Put this into your GoogleDoc.
    • Now construct a phishing exploit that creates an extra form on the page that submits to an external site. Note: this won’t require scripting per se, but some HTML knowledge. Ask around if you need a refresher on HTML. Put your XSS phishing exploit in your GoogleDoc.
  10. If time allows, construct an exploit for Command Execution. Log that into your document.
  11. You can also play with a new vulnerable app called bWAPP. Go to http://127.0.0.1 and install bWAPP first. Then go back and enter the site with the appropriate credentials and play around with it. We won’t be using bWAPP in our projects, but it is worth your time to play around with it.

Submission & Grading

Submit your document (converted to MS Office or PDF) to myCourses.

This will not be graded.