Posted in Application Attacks using the OWASP Mutillidae II Environment
OWASP Mutilidae is an intentionally vulnerable, open source, web application that focuses on the OWASP Top 10. The application runs remotely at the hack.me website, however a full version is available from IronGeek.com that can be set up in a VM on the desktop. To enable “hints”, click the “Toggle Hints” button on the menu bar once to activate level-1 hints. Level-1 hints generate dynamic boxes that provide vulnerability information, including discovery and exploitation. Level-2 hints are activated by clicking a second time and provide tutorials By default, no hints are provided (level 0).
Pre-lab Setup: Access the Mutillidae interface at https://hack.me/101163/mutillidae-23101.html You will need to create a login, or login with your Facebook or Goggle account. A sandbox will be created for you for the lab.
For each of the labs, be certain that you are jotting down your ideas for mitigating the vulnerabilities that would allow the attacks.
Morning Activities
Lab 1. SQL Injection Video
1. View the movie “Walking through Walls” located at https://www.youtube.com/watch?v=jMQ2wdOmMIA and answer the following questions:
a. What was the significance of the tester removing the JavaScript code from the page?
b. What measures could be put into place to ensure that this attack was not successful?
Lab 2. Directory Browsing for Robots.txt
Sites use the robots.txt file to deter crawlers from indexing certain pages at the site that may contain sensitive information. To most hackers, the presence of a robots.txt file simply lets them know what files are the most interesting! In this lab, you will change the directory path in your URL to point it to the robots.txt file.
1. Start a new Mutillidae sandbox by logging in and creating a new sandbox (accepting the Terms of Service, or TOS).
2. From the Mutillidae Main Menu, select “OWASP Top 10” -> “A6 – Security Misconfiguration” -> “Directory Browsing” ->
3. At the Directory Browsing page, browse to the robots.txt file by highlighting the current page in the folder, after hack.me/, as shown below:
and replacing the highlighted text with robots.txt . What pages or folders did you find that might be of interest to you?
4. Take a screenprint of this page!
Lab 3. Broken Authentication and Session Management (Authentication Bypass using SQL Injection).
In this lab, we will bypass authentication by injecting SQL code at a login prompt to gain unauthorized access to a vulnerable web server – Multillidae.
1. Start a new Mutillidae sandbox by logging in and creating a new sandbox (accepting the Terms of Service, or TOS).
2. From the Mutillidae Main Menu, select “OWASP Top 10” -> “A3 – Broken Authentication and Session Management” -> “Login” ->
3. At the Login screen, under the Please sign-in box, enter hacker for the Name and "' or 1=1 — " for the Password and click on the Login box.
4. In the upper right-hand screen, who are you now logged in as? Take a screenprint of this page!
C:\Users\Marg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70JG947X\MC900434805[1].png You have completed this lab. Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.
Lab 4a –Persistent Cross-Site Scripting (XSS)
Persistent Cross-Site Scripting is a more damaging version of XSS than are reflective XSS attacks as the injection is permanently stored in the source, such as the comments to a video or blog. In this lab, we will leverage a bug in the vulnerable server to add to the blog.php code, using a Persistent XSS technique. This will allow us to store a windows alert popup box.
1. Start a new Mutillidae sandbox by logging in and creating a new sandbox (accepting the Terms of Service, or TOS).
2. From the Mutillidae Main Menu, select “OWASP Top 10” -> “A2 – Cross Site Scripting (XSS)” -> “Persistent (Second Order)” -> “Add to your blog”.
3. To test the site for the vulnerability, enter in the following text below the comment box: <script>alert("Hello from your friendly hacker community")</script> We will be looking for a popup box with our text to display if we are successful.
4. Click the OK button to close the popup box.
5. Navigate back to the View Blogs link by selecting “OWASP Top 10” -> “A2 – Cross Site Scripting (XSS)” -> “Persistent (Second Order)” -> “View someone’s blog”.
6. At the “Please Choose Author” drop-down box, select Show All to show all blog entries and then click on the View Blog Entries button.
7. Click the OK button. You should notice that the XSS injection text is persistently stored in the blog. Take a screenprint of this page!
C:\Users\Marg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70JG947X\MC900434805[1].png You have completed this lab. Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.
Lab 4b – Persistent Cross-Site Scripting (XSS)
Let’s try to extend this lab a bit in order to add an iframe.
1. From the Mullitidae Main Menu, select “OWASP Top 10” -> “A2 – Cross Site Scripting (XSS)” -> “Persistent (Second Order)” -> “Add to your blog”.
2. In the text box, place the following: <iframe src="http://www.2600.com"></iframe>
3. Click the Save Blog Entry button to save the text.
4. You will now see your site displayed in the comments, which also could have been used to run fairly malicious scripts. Take a screenprint of this page!
C:\Users\Marg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70JG947X\MC900434805[1].png You have completed this lab. Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.
Lab 5 – SQL Injection Lab
1. From the Mullitidae Main Menu, select “OWASP Top 10” -> “A1 – SQL Injection” -> “SQLi – Extract Data” -> “User Info”.
2. At the “User Information” page, attempt to view the information for Name admin and password of Password.
a. Were you successful?
b. What information was returned to you by the web application that might help further your information gathering at this site? Take a screenprint of this page!
3. Now, simply inject the SQL command (copy and paste it) into the Name field: "' or 1=1 — " and click on the View Account Details button.
a. What information is returned?
b. What is the password for the Admin account?
c. Can you explain why? Take a screenprint of this page!
4. Intentionally enter in incorrect SQL syntax into the password field: "' or 1=1 " (without the trailing dashes – you can copy and paste this into the password field).
a. What information was returned that might be helpful to you in furthering an attack on this server? Take a screenprint of this page!
C:\Users\Marg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\70JG947X\MC900434805[1].png You have completed this lab. Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.
Optional:
Read about a recent XSS flaw in video-sharing site that enabled a DDoS attack
http://www.computerworld.com/s/article/9247450/XSS_flaw_in_popular_video_sharing_site_allowed_DDoS_attack_through_browsers
