Commit 6f41bf03 authored by Diego Alvarez Arias's avatar Diego Alvarez Arias Committed by Alberto Ballestas

sol(vbd): #0 dsvw, 0079-xss-reflected

- discovered vulnerabilities: 2 by me, 5 already in repo, 7 total.
- total estimated vulnerabilities in system:   25
- discovery percentage:                        28%
- effort: 3 hours during immersion.
parent f0999ee0
......@@ -8,3 +8,5 @@ https://www.contrastsecurity.com/security-influencers/hubspot-vulnerability-fixe
https://phpsecurity.readthedocs.io/en/latest/Cross-Site-Scripting-(XSS).html
https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/
https://www.theurbanpenguin.com/php-xss-example-and-prevention/
https://www.youtube.com/watch?v=De9KJqA55mE
https://www.acunetix.com/blog/web-security-zone/how-to-verify-a-cross-site-scripting-vulnerability/
......@@ -2,3 +2,4 @@ https://www.youtube.com/watch?v=03VBjDOi9-o
https://sangbui.com/blind-sql-injection-at-testphp-vulnweb-com/
https://www.youtube.com/watch?v=26HU7bwTy3o
https://www.hackingarticles.in/manual-sql-injection-exploitation-step-step
https://www.acunetix.com/blog/articles/sqli-part-3-the-anatomy-of-an-sql-injection-attack/
https://www.youtube.com/watch?v=gPEJiFKgYdE
https://youtu.be/Zcu2Eq_0Rxc?t=622
https://medium.com/@nemesiscontreras/testing-for-sqli-web-vulnerabilities-application-walk-trough-22719be8b3a9
http://testphp.vulnweb.com/hpp/?pp=12
https://www.youtube.com/watch?v=Klx8Vdrx1eY
......@@ -18,3 +18,4 @@ https://www.omegaton.com/2017/05/altoromutual.html
https://www.youtube.com/watch?v=v8jxQ7DgPaI
https://www.youtube.com/watch?v=l-5VMKh7Amo
https://www.itsc.cuhk.edu.hk/images/content/privacy-security/vas-web/wasample.pdf
https://developer.ibm.com/tutorials/se-owasp-top10/#example-of-a-simple-sql-injection-attack
http://blog.dornea.nu/2013/05/06/hacking-altoro-mutual/
https://www.ibm.com/developerworks/community/blogs/48a78681-82cc-434f-9c78-3e9117bfd466/resource/demo.testfire.netSecurityReport.pdf?lang=en
https://www.itsc.cuhk.edu.hk/images/content/privacy-security/vas-web/wasample.pdf
\ No newline at end of file
https://www.itsc.cuhk.edu.hk/images/content/privacy-security/vas-web/wasample.pdf
https://developer.ibm.com/tutorials/se-owasp-top10/#6-security-misconfiguration
https://resources.infosecinstitute.com/the-bodgeit-store-part-2/#gref
https://linuxhint.com/cross_site_request_forgery_attack/
......@@ -6,4 +6,4 @@ https://www.youtube.com/watch?v=mCo6ajvBv50i
https://www.youtube.com/watch?v=j5I0wPvQxTg
https://www.youtube.com/watch?v=VMeusdLErzA
https://youtu.be/UvgmaiT8n9E
https://www.hackingarticles.in/solving-owasp-bricks-challenge-3-using-sqlmap-and-havij/
http://localhost:65412/?v=0.2
## Version 1.4.1
## language: en
Feature:
TOE:
dsvw
Category:
Cross-Site Scripting (XSS)
Location:
http://localhost:65412 - v (field)
CWE:
CWE-79: https://cwe.mitre.org/data/definitions/79.html
Rule:
REQ.173: https://fluidattacks.com/web/rules/173/
Goal:
Inject a reflected XSS.
Recommendation:
Filter the user input
Background:
Hacker's software:
| <Software name> | <Version> |
| Windows | 10.0.1809 (x64)|
| Chrome | 75.0.3770.142 |
TOE information:
Given I am accessing the site http://127.0.0.1:65412/
And the server is running SQLite version 3
And Python version 2.7.16
Scenario: Normal use case
Given I access to "http://127.0.0.1:65412/?v="
When I pass a value to the parameter "?v=4.01"
Then It just displays the value in the page footer
"""
Powered by DSVW (v4.01)
"""
Scenario: Static detection
Given the python code (dsvw.py)
And the lines where the "v" parameter is processed
"""
32 elif "v" in params:
33 content += re.sub(r"(v<b>)[^<]+(</b>)", r"\g<1>%s\g<2>" % params["v"],
HTML_POSTFIX)
"""
When I inspect the code
Then I see the parameter is not filtered
And I conclude that I could pass not just a number
Scenario: Dynamic detection
Given "http://127.0.0.1:65412/?v="
When I insert in the parameter some html tags
"""
http://127.0.0.1:65412/?v=0.2<p style="text-transform: uppercase;">hi</p>"
"""
Then I get the output:
"""
Powered by DSVW (v0.2
HI
)
"""
And the html tags are interpreted correctly
Then I conclude that I could pass some html tags in the parameter
Scenario: Exploitation
Given "http://127.0.0.1:65412/?v="
And knowing that html tags are not filtered
When I pass this XSS payload:
"""
http://localhost:65412/?v=0.2<script>alert("XSS reflected")</script>
"""
Then an alert pops up with the message
Then I conclude that the application is vulnerable to reflected XSS
Scenario: Remediation
Given I have patched the code by removing all the html tags to the input
And with "BeautifulSoup" library I can remove dangerous tags
"""
34 soup = BeautifulSoup(params["v"])
35 [s.extract() for s in soup(['script', 'style', 'img'])]
36 content += re.sub(r"(v<b>)[^<]+(</b>)", r"\g<1>%s\g<2>" % soup.get_text
(), HTML_POSTFIX)
"""
When I pass the same XSS payload
"""
http://localhost:65412/?v=0.2<script>alert("XSS reflected")</script>
"""
Then It doesn't pop up the alert window
Then I can confirm that the vulnerability was successfully patched
Scenario: Scoring
Severity scoring according to CVSSv3 standard
Base: Attributes that are constants over time and organizations
4.3/10 (Medium) - AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Temporal: Attributes that measure the exploit's popularity and fixability
4.1/10 (Medium) - E:F/RL:W/RC:C
Environmental: Unique and relevant attributes to a specific user environment
3.4/10 (Low) - CR:L/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X
Scenario: Correlations
No correlations have been found to this date 2019-08-13
......@@ -38,3 +38,4 @@ https://www.hackingarticles.in/xss-exploitation-dvwa-bypass-security/
https://raw.githubusercontent.com/keewenaw/dvwa-guide-2019/master/low/Challenge%2010%3A%20XSS%20(DOM).md
https://raw.githubusercontent.com/keewenaw/dvwa-guide-2019/master/medium/Challenge%2011%3A%20XSS%20(Reflected).md
https://chousensha.github.io/blog/2014/08/08/pentest-lab-damn-vulnerable-web-application/
http://www.reydes.com/d/?q=XSS_Cross_Site_Scripting
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment