Web Applications Introduction

Overview

The purpose of this activity is to get you acquainted with the overall layout of several web applications.

Setup

This activity is for groups of 2-3 people.

Activity

1. Prior to the activity (preferably during the lecture), download our XAMPP portable installation. Unzip it (this can take 10 minutes, that's why we want you to start early).
2. When the activity has started, go to your unzipped XAMPP directory, and run setup-xampp.bat. This will go through a couple of tests, and will eventually ask you if you want to "refresh" (option 1). Take that option, and the setup will finish.
3. Create a GoogleDoc called "Web Application Vulnerabilities" and share it with the instructor.
4. Run the following. Note: some of these may ask for administrator privileges to open up the firewall, do not allow! Even if you're on your own machine, you don't want to expose your local machine as a server to vulnerable web applications.
   • apache_start.bat. As it runs, XAMPP will ask for administrator access - hit Cancel to that (even if you're on your own machine - no need to expose yourself as a server on the network).
   • catalina_start.bat - this starts the Tomcat server for Java web applications
   • mysql_start.bat - this starts the MySQL relational database system
5. Start up a browser and go to http://127.0.0.1 (http://localhost will not always work with this setup).
6. Log in to Damn Vulnerable Web Application. This is an interactive tutorial for learning how to exploit various web application vulnerabilties.
7. Go to DVWA Security, and change the security level to "low".
8. Go to Setup, and hit "Create/Reset Database"
9. Go to SQL Injection, and construct an exploit for returning all user names in the table. Here are a few hints:
   • Start by just trying to guess one user ID to get this function to work properly
   • If you get stuck, the source code is in: htdocs\dvwa\vulnerabilities\sqli\source (but try not to look straight there immediately - challenge yourself to get it to work first!)
10. In your GoogleDoc, answer the following:
    • As a tester, how would you know that a potential SQL injection vulnerability exists?
    • Construct an exploit that does more than just lists usernames. Provide that exploit in your GoogleDoc
    • Switch the DVWA to "medium". Does your exploit still work? Make another one that does work.
    • Take a look at the solution for "high" security. Under what conditions might SQL injection still work?
11. Switch the security level back to "low".
12. Now let's practice XSS.Go to XSS reflected and attempt a simple XSS (as demonstrated in class)
13. Answer the following in your GoogleDoc:
    • How might a tester recognize a XSS vulnerability?
    • Switch the security level to "medium". Construct a XSS exploit that will work under "medium" security. Put this into your GoogleDoc.
    • Now construct a phishing exploit that creates an extra form on the page that submits to an external site. Note: this won't require scripting per se, but some HTML knowledge. Ask around if you need a refresher on HTML. Put your XSS phishing exploit in your GoogleDoc.
14. If time allows, construct an exploit for Command Execution. Log that into your GoogleDoc.

Submission & Grading

This activity is worth 10 points, and your grade is based on in-class participation. Nothing is due beyond class today, as long as you are participating and are reasonably close to completion. Your instructor will check your GoogleDoc before the end of class.