University of Reddit: Web Application Hacking with DVWA: Lesson 1 – Getting Started and reflected XSS

Preamble

In this course, we learn about the very exciting world of web application testing. In recent years, web applications have become widespread to the point of ubiquity, with banks, retail, social networks and more using them. Here, we learn to identify and exploit vulnerabilities in web applications in order to enhance security.

In the first Spiderman film, Ben Parker says ‘With great power comes great responsiblity’. The same is true with the skills you will learn in this course. Do not use these techniques on any systems or websites that you don’t own yourself, or have permission to use them on. Neither I, nor Condé Nast, nor University of Reddit, nor the makers of DWVA are responsible for anything illegal you do with the skills you learn from this course.

Act responsibly, have fun and I hope you find this course rewarding.

Introduction

Hi. My name is Matthew Hughes and I’ll be your tutor for this course. I’m a first year (going on second year) student at Northumbria University in the UK, studying Ethical Hacking for Computer Security.

In this course, we will learn about a selection of the avenues of attack used by hackers to break in to popular web applications. We will do it by using a popular tool called DVWA that replicates the common vulnerabilities found in many poorly designed and developed websites, allowing us to learn about the attack methodologies used by black hat hackers.

Why is penetration testing so important?

Imagine you’re a boat maker. Now, one of the most important functions of a boat is to not sink. When a boat maker makes a boat, he’ll check the hull for any holes so that there’s no chance of water seeping in and submerging the vessel.

The job of an ethical hacker/penetration tester is similar to that of a boat maker. You’re looking for weaknesses, not out of malice, but out of an obligation to protect whoever relies on the system being tested.

Everything, from our vital infrastructure, to online and high street retail relies on computers, the vast majority being networked and on the internet. This presents an enticing opportunity for hackers who would seek to disrupt our way of life for either financial gain or ideological reasons. Penetration testing exposes vulnerabilities, so that they can be repaired before they are exploited.

Penetration testing isn’t important. It’s vital.

Lesson Objectives

1.) Learn how to install XAMPP and DVWA.

2.) Learn how to recognize and exploit reflected cross site scripting.

Getting Started and General Prerequisites

There are a few prerequisites. First of all, you have to have a computer running either the GNU/Linux or FreeBSD operating system. For those of you who have a system running Windows, you have two choices. Download a copy of Sun Virtualbox and install Ubuntu in the virtual machine, as explained here. A quicker and easier way is to go to wubi.com and install Ubuntu to your computer by using that. A guide to installing Ubuntu Linux can be found here. If you have a computer running GNU/Linux or FreeBSD, you can skip this step.

NB: Although we can run the XAMPP web server on Microsoft Windows, for the sake of giving everyone the same experience and content in the lessons, we’re going to be using Linux/FreeBSD. I’ve also heard horror stories of getting XAMPP working on certain versions of Windows, so it’s easier for everyone involved if everyone is starting from the same point.

NB: If you’re on a Mac, you’ll have to use Virtualbox or VMWare. Wubi is Windows only.

The second, most obviously, is a copy of XAMPP. XAMPP is free, open source software and can be downloaded from here, along with instructions for a successful installation. XAMPP is a bundling of the software you’ll need to get started, including Apache, MySQL, PHP and more.

One installed, download a copy of DVWA. Unzip it, and copy the contents to the ‘htdocs’ folder where you installed XAMPP. Congratulations. You’ve just installed DVWA. Give yourself a big pat on the back.

NB: From personal experience, I’ve found that when copying DVWA in to the ‘htdocs’ folder, you can hit in to a few obstacles. To remedy this, you will have to run a simple command on the root of the ‘Lampp’ folder or the ‘htdocs’ folder. This command is simply ‘Chmod a+rwx’.

What is Cross Site Scripting (XSS)?

According to the OWASP Top 10, 2007 Edition, ‘XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites and possibly introduce worms, etc’.

In this lesson, we will be looking at reflected cross site scripting. This is basically user submitted data reflected back at the user. There are two other kinds, known as DOM and stored cross site scripting. This will be expanded upon in later lessons.

Testing for Reflected Cross Site Scripting (XSS)

With everything set up and XAMPP running, go to http://localhost/dvwa. Log in to DVWA with the username ‘admin’ and password ‘Password’. If you’re not made the automatic database yet, go ahead and make that.

If the DVWA database isn't set up, you'll see this.

Once that’s done, navigate to DVWA Security and change the security value from ‘high’ to ‘low’. Now, you’re ready to get hacking.

Navigate to ‘XSS Reflected’ and type in ‘<plaintext>’ and press enter. You’ll see a whole bunch of code. Congratulations, that shows that there is an XSS vulnerability.

Now, type in <script>alert(‘xss’);</script>. Embedded within the two HTML script tags lies a piece of Javascript that brings up a browser alert with the message  ‘xss’.

What’s happened here is that the web application renders the code you provided. Reflected cross site scripting isn’t just making fancy little pop ups. It can be passed on to other end users and can cause some real damage.

Conclusion

In this lesson, we should have an understanding of what DVWA is, why penetration testing is important, how to set up XAMPP and DVWA and also have a basic understanding of how reflected XSS works, how to test for it and how to exploit it.

The next lesson will move on to stored XSS and SQL injection. It’s advisable that anyone who is not too familiar with SQL reads this tutorial.

Homework

Go to http://ha.ckers.org/xss.html and play around with the code snippets provided. Just get an understanding of DVWA and what XSS is.

Addendum

A lot of people are going to find the pace of this course frustrating. I aim to release a lesson every week, but realistically, that won’t be enough for some people. I therefore am going to suggest that people buy a copy of The Web Application Handbook by Daffyd Stuttard or the OWASP Testing Guide 3.0. Both are very worthwhile books for any web application hacker. I’d like to place particular emphasis on the Web Application Hackers Handbook. It’s the most comprehensive, well written book on web application hacking I’ve ever seen.

If you have ANY issues getting started, or even any questions, please send me an email at me [ at ] matthewhughes [ dot ] co [ dot ] uk. I can also be reached on @matthewhughes on Twitter or matthugheswidnes on Skype. I’m really happy to help. I’m travelling for the next week though, so I might not be able to get back to you in anything resembling a timely manner.

Tags: cross site scripting, dvwa, hacking, reddit, reflected xss, university of reddit, xss