Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Let's solve DVWA.
- Add following line to /etc/hosts file:
127.0.1.1 secqation.local
-
Start your own vulnerable instance of DVWA
docker run --rm -it -p 80:80 vulnerables/web-dvwa
-
Go to http://secqation/login.php
-
Start hacking.
Let's make hacking DVWA a bit more interesting...
-
Go to
/home/secqation/Desktop/TheDemo/1-local-execution/demo-test-suitefolder path -
Check the contents of init.sh file in BashScripts folder
mitmdump -p 8080 -w +traffic.mitm "! ~u firefox|ocsp|mozilla|googleapis" & robot -d ~/Desktop/TheDemo/1-local-execution/demo-test-suite/Results ~/Desktop/TheDemo/local-execution/demo-test-suite/Tests/${1:-App.robot} pkill mitmdump echo "Test Complete."
Notice the use of
${1:-App.robot}. It says that if no parameter value is passed when calling the bash script, then App.robot test case should be executed by default. In case a specific filename is passed, then that specific test suite should be executed. -
Check the contents of Tests folder
$ tree Tests/ Tests/ ├── 01__setup_dvwa.robot ├── 02__teardown_dvwa.robot ├── 03__recon_base_url.robot └── App.robot
-
Check the contents of
.robotfiles-
Tests/01__setup_dvwa.robot
*** Settings *** Resource ../Resources/App.robot Resource ../Resources/Common.robot Resource ../Data/Variables/global.robot Suite Setup Begin Web Assessment Suite Teardown End Web Assessment *** Test Cases *** Setup DVWA # [Teardown] Stop DVWA Start a local instance of DVWA Login to DVWA Setup Database for DVWA Re-login to DVWA
-
Tests/02__teardown_dvwa.robot
*** Settings *** Resource ../Resources/App.robot Resource ../Resources/Common.robot *** Test Cases *** Destroy DVWA Running Docker Instance Stop DVWA
-
Tests/03__recon_base_url.robot
*** Settings *** Resource ../Resources/App.robot Resource ../Resources/Common.robot Resource ../Data/Variables/global.robot Suite Setup Begin Web Assessment Suite Teardown End Web Assessment *** Test Cases *** Authenticate and Crawl DVWA [Documentation] Assumptions - ... 1) DVWA server is up ... 2) DVWA setup has been completed successfully Login to DVWA Crawl ${BASE_URL} ${Target_Domain}
-
Tests/App.robot
*** Settings *** Resource ../Resources/App.robot Resource ../Resources/Common.robot Resource ../Data/Variables/global.robot Suite Setup Setup for Authenticated Crawling of DVWA Pages Suite Teardown End Web Assessment *** Test Cases *** Crawl Authenticated DVWA Pages [Documentation] Assumptions - ... 1) DVWA server is up ... 2) DVWA setup has been completed successfully ... 3) User is logged in [Template] Perform Authenticated Crawling http://secqation.local/ http://secqation.local/about.php http://secqation.local/instructions.php http://secqation.local/phpinfo.php http://secqation.local/security.php http://secqation.local/setup.php http://secqation.local/vulnerabilities/brute/ http://secqation.local/vulnerabilities/captcha/ http://secqation.local/vulnerabilities/csp/ http://secqation.local/vulnerabilities/csrf/ http://secqation.local/vulnerabilities/exec/ http://secqation.local/vulnerabilities/fi/?page=include.php http://secqation.local/vulnerabilities/javascript/ http://secqation.local/vulnerabilities/sqli/ http://secqation.local/vulnerabilities/sqli_blind/ http://secqation.local/vulnerabilities/upload/ http://secqation.local/vulnerabilities/weak_id/ http://secqation.local/vulnerabilities/xss_d/ http://secqation.local/vulnerabilities/xss_r/ http://secqation.local/vulnerabilities/xss_s/
-
-
Run following commands to setup DVWA and do a quick scan of the base URL
./BashScripts/init.sh 01__setup_dvwa.robot ./BashScripts/init.sh 03__recon_base_url.robot
-
Open the log.html file (from Results folder) in a browser window
-
Click on
Authenticate and Crawl DVWA -
Click on
App.Crawl ${Base_URL},${Target_Domain} -
Click on
Crawl.Print crawl status -
Click on
Collections.Log List ${ALL_IN_SCOPE_LINKS}
-
Copy the list of all in-scope URLs
-
Open Tests/App.robot test file, and pass this copied list of URLs as an argument to the
Perform Authenticated Crawlingtest template
-
Switch to command line interface and run following command
$ cd ~/Desktop/TheDemo/1-local-execution/demo-test-suite $ ./BashScripts/init.sh
-
Refresh log.html page in your browser to see updated results
-
Expand respective keywords to see detailed scan report of various URLs that were passed to the test template Perform Authenticated Crawling
-
Locate mitmproxy_httpolice.py file
$ sudo apt install mlocate $ locate mitmproxy_httpolice.py
-
Check the contents of
docker-compose-httpolice.ymlfile. Ensure that the volume mappings are correct.version: "3.9" services: HTTPolice: build: context: . dockerfile: ./Input/HTTPolice/Dockerfile image: httpolice:latest container_name: httpolice volumes: - "./traffic.mitm:/home/mitmproxy/Output/traffic.mitm" - - "./Results/httpolice:/home/mitmproxy/Output/httpolice" command: mitmproxy -s "/usr/local/lib/python3.9/site-packages/mitmproxy_httpolice.py" -r /home/mitmproxy/Output/traffic.mitm --set httpolice_mark=comment --no-server -
Run following command
docker-compose -f docker-compose-httpolice.yml run HTTPolice
-
Press
[F]key to set a filter expression -
Enter
'! (~q | ~t css|javascript|icon)'as the filter expression. This will remove any request without a response or any request that has it's content type set as css, javascript or icon.
-
Run following command to export the HTML report for filtered traffic
: httpolice.report.html @shown /home/mitmproxy/Output/httpolice/httpolice_report.html -
Press
[Q]key followed by[Y]key to exit mitmproxy -
Access the exported HTML report from path
./Results/httpolice/httpolice_report.html
-
If you find an interesting request, copy and paste it in Burp Suite's Repeater/Intruder tool
-
Ask doubts, if any.
Hope you have learned something interesting. Happy Hacking... the SecQAtion way!!