Week 10 Lab
XSS/CSRF Attacks
IMPORTANT NOTES:
Study lecture materials at least 1 hour and prepare Lab Section 3 prior to the lab session to install DVWA. Prepared questions will be discussed in the lab session.
Copyright By Assignmentchef assignmentchef
1 Overview
The learning objective of this lab is for students to get familiar with vulnerabilities of and attacks targeting Web applications by using the XSS and CSRF attacks.
2 Lab Environment
In this lab we will exploit XSS/CSRF vulnerabilities on an intentionally vulnerable web server using the cloud VM. If you are using the local VM, you can skip Section 3, since the DVWA is already installed.
3 Install DVWA
Copy /srv/fit2093files/dvwa.zip to /var/www/html/ and unzip the archive. Rename the decompressed directory to DVWA. Change the owner and group of the decompressed directory and all files inside the directory to www-data and www-data, respectively (both the user and group have the same name www-data).
sudo cp /srv/fit2093files/dvwa.zip /var/www/html/
cd /var/www/html/
sudo unzip dvwa.zip
sudo mv DVWA-master/ DVWA
sudo chown www-data:www-data -R DVWA/
Follow the instructions in Database Setup and Other Configuration Sections at https://github.com/digininja/DVWA. Here we summarise the necessary steps. Connect to the MySQL server and create the database for DVWA.
sudo mysql
MariaDB [(none)]> create database dvwa;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> create user identified by
Query OK, 0 rows affected (0.033 sec)
MariaDB [(none)]> grant all on dvwa.* to
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> exit;
FIT2093 Week 10 Lab Change the file permissions:
sudo chmod +w /var/www/html/DVWA/hackable/uploads/
sudo chmod +w /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
Change the following PHP configurations in /etc/php/7.4/apache2/php.ini. You may run a command line based text editor such as vi or nano with sudo to edit the file.
allow_url_include = On
allow_url_fopen = On
display_errors = On
Rename /var/www/html/DVWA/config/config.inc.php.dist to /var/www/html/DVWA/config/config.inc.php:
sudo mv /var/www/html/DVWA/config/config.inc.php.dist /var/www/html/DVWA/config/config.inc.php
Restart the Apache web server to make the changes above effective:
sudo /etc/init.d/apache2 restart
Open a web browser and access http://127.0.0.1/DVWA/setup.php. The information shown on the webpage should be similar to the following screenshot. If not, please check if any of the above steps is missing. Click the Create / Reset Database button.
FIT2093 Week 10 Lab 4 Lab Tasks
Open the Firefox web browser and type http://127.0.0.1/DVWA in the address bar. Please note that the url is case sensitive. This should open the login page. Use admin as username and password as password. Once logged in scroll down the page and find the DVWA Security on the left pane.
Click on the DVWA Security and within the opened page change the security level to low and then click Submit.
Read about the different types of CSRF attacks:
https://owasp.org/www-community/attacks/csrf
Make sure the Security Level is set to low. On the left pane click on the CSRF and perform the following steps.
1. Enter the same password in both textboxes and click the Change button. Notice the change in the URL. How to forge such a link to trigger the changing admin password behaviour? You may need to logout and re-login to verify if the admin password has actually been changed.
2. Now set the Security Level to medium and repeat the previous step. View the source using the provided button. What check does the given code perform to prevent the previous simple CSRF attack?
FIT2093 Week 10 Lab
To get around this check, we need to forge a malicious HTTP request. We can use the Burpsuite tool, which will create a proxy server in order to intercept and modify the HTTP request sent from the web browser to the server.
In order to use a local proxy server in Firefox, we need to change the settings. Access about:config from the Firefox web browser. Change network.proxy.allow_hijacking_localhost to true.
To perform the task, first, we need to install the Burpsuite. Copy the installer /srv/fit2093files/burpsuite_community_linux_v2021_12_1.sh to your home directory. Make this file executable and run the installer. Follow the instructions.
cp /srv/fit2093files/burpsuite_community_linux_v2021_12_1.sh ~
chmod +x burpsuite_community_linux_v2021_12_1.sh
./burpsuite_community_linux_v2021_12_1.sh
Then, open a terminal and run the following command to launch the Burpsuite tool: java -jar ~/BurpSuiteCommunity/burpsuite_community.jar
Ignore all the warnings. Use the default settings to create a temporary project and start Burpsuite. Click the Proxy tab. Make sure the button is showing Intercept is on.
FIT2093 Week 10 Lab Now go to the Preferences of the Firefox web browser. Change the Network Settings and add the
following proxy server:
Access the URL forged by the previous simple CSRF attack in the web browser. Note that Burpsuite will intercept the HTTP request sent from the web browser to the server:
Based on your finding from the source code, what field in the HTTP request header should you add/modify to get around the check?
4.2 Reflected XSS Attack
Read about the different types of XSS attacks:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)#Stored_and_Reflected_XSS_Attacks
Open the DVWA. Make sure the Security Level is set to low. On the left pane click on the XSS (Reflected) and perform the following steps.
1. Enter the following in the text box:
FIT2093 Week 10 Lab and submit. Explain the result.
2. Now set the Security Level to medium and repeat the previous step. View the source using the provided button. What function in the given code prevents the use of
and submit. Explain the result.
3. If you succeeded in bypassing the medium security level, now set the Security Level to high. Does your previous work around succeed at this level? Click on the View source button and observe the change. Enter the following in the text box:
and submit. Explain the result.
4. If you succeeded in exploiting the high security level then change the Security Level to impossible. Try the exploit from previous step. Does it succeed in this security level? Look at the source what changes are made?
Further Exploitation: Stored XSS Attack
Now set the Security Level back to low and click on the XSS (Stored) on the left pane. Could you try to launch a stored XSS attack by using a similar script as in the reflected XSS task?
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.