Tag Archives: BWA

My First Presentation – Web Hacking

Tuesday December 8th was the last meeting of the semester for Spartan Hackers and I gave the presentation. A group of students at Michigan State University who go to hackathons and want to learn more about computer science.  Each week we have workshops to introduce new things to our members, topics vary from “Intro to HTML” to “Web Scraping”.

The original idea was to have a security company come in and talk with us, but that fell through at the last minute. The next idea was for me to beg one of the Misec members to give one of their talks but I wasn’t able to get to them soon enough (I only gave them around a weeks notice to prepare something). So the backup backup plan? I’ll present a security topic! After all I am a Misec member and I know what I’m doing, right?

So I grabbed my computer, downloaded OWASP’s BWA project and starting searching for vulnerabilities that I could show people. I did my best to stick to the OWASP’s top 10. I found examples of XSS, SQL injection, Directory Browsing, Broken Authentication, and Direct Object Reference. A lot of the heavy hitters for web app hacking. So with my examples in hand, I set out to make a presentation. It was planned to be short, I didn’t want to talk the entire time. I wanted it to be interactive. So when we sent out the invite we told people to download OWASP BWA and virtual box, I even had step by step guides on a previous blog post. The idea was to discuss a topic, show people, let them play, then repeat the process with the next hack. Sounds awesome right?

Peruggia Hedgehog from presentation
Yeah! If people downloaded BWA before coming!!

I got to the meeting an hour before it started, I opened all the files I needed. I had my cheatsheet of hacking demos, the blog posts, my slides, and the VM all ready to go. I ran through each hack to make sure they worked and was already getting nervous before anyone even showed up. Pizza came, the eboard showed up, and a few members strolled in. We all talked for a bit, I posted on twitter about the presentation. As the night was about to start, the club president asked how I was doing. I said it’d go great if everyone got things downloaded in time and the reaction I got back didn’t really help my nerves. I should have guessed, but only a few people had the vm installed. My plan of show and tell, then let people find their own examples came crashing down. I had about 30 mins of slides and the meeting was supposed to be for an hour. Should be easy, just double the length of each slide, talk slowly… yeah.. ok.

I think the actual presentation went well, besides not being as interactive as I wanted I was able to show off all the hacks I wanted. I wasn’t as engaging as I probably could have been, I was always behind the podium writing the next hack. When I asked for questions, most of the time it was quiet. I managed to go for 40 minutes before the slides ran out, I even gave a very rough “demo” of using armitage to find simple bugs.. but I stumbled through that.

Feedback that I got afterwards was that there was a lot of information. All if it was cool, seemed surprisingly simple, but there were a lot of topics that I just scratched the surface of. People seemed interested in a more in-depth workshop. Maybe Spartan Hackers will get a group together to run through the BWA some time. The other idea I had for a future event was a Q&A panel with local hackers, maybe instead of a lecture style presentation, people walk around to hackers to learn about things in a more open setting.

Exploiting BWA (Broken Web App)

Two posts ago, I wrote a quick post about installing OWASP’s Broken Web App. This post will be about exploiting the BWA and by that I mean I’m posting a few comments on how to do some reported vulnerabilities from sourceforge and irongeek.com. This post assumes you have the OWASP BWA virtual machine up and running and that your VM IP address is mapped to owaspbwa.com in /etc/hosts (in your testing machine, not the VM).

I’ll do my best to give a complete list of information for each hack. Including where to go, what to do, how to exploit, and why the exploit is a thing. (If there’s interest, I might come back later and add a how to fix section for exploits I know how to fix)

List of exploiting vulnerabilities by type

XSS

  1. Reflected XSS
    • goto: owaspbwa.com/peruggia/index.php
    • action:  Click on Learn in the navbar. The click on one of the Papers listed on that page.
    • description: This loads a new page.  In your URL look after the ? symbol, you will see “parameters” and their values. What happens if you modify the values right from the URL? What if you injected some nice javascript?
    • exploit: Change a value to <script>alert(1)</script> so the url might look like http://owaspbwa.com/peruggia/index.php?action=learn&type=<script>alert(1)</script>&paper=…
  2. Moar reflected XSS
    • goto: owaspbwa.com/getboo/
    • action: Search for something like “foobar”.
    • description: Variables stored in the url can be modified like above
    • exploit: Replace your keyword with the XSS script from 1.
  3. Stored XSS
    • goto: owaspbwa.com/wackopacko
    • action: Log in, view an image, and leave a comment.
    • description: If there is a lack of validation, you can write code and leave that in your comment.
    • exploit: Use a script while writing your comment. A fun one is <script>x=prompt(“Question”);document.write(x);</script>

SQL Injection

  1.  Login Bypass
    • goto: owaspbwa.com/peruggia
    • action: Log in
    • description: If users are stored in a database, a query is comparing the existing users to the parameters you give. This can be manipulated into whatever you need, even logic that overrides a password
    • exploit: Leave the password blank and use  ‘ or 1=1– -&password=aaa as the username
  2. Display useful information for more hacks
    • goto: owaspbwa.com/peruggia
    • action: View a picture
    • description: URLs sometimes contain parameters that become SQL queries. These can be manipulated as well
    • exploit: Replace the value of the pic id in the URL and make it -1 union all select 1,2,3,@@version

Directory Browsing

  1. View directory contents, not webpages
    • goto: owaspbwa.com/peruggia
    • action: Try to find common directories that are used in web apps like images/ css/ or config/
    • description: Most web apps do not expect you to go directly to browsers using the URL. They aren’t properly configured to stop a user from viewing all the contents in that folder
    • exploit: Append to the end of the URL a directory you want to travel to. such as images/

Broken Authentication

  1. Add or remove accounts (without admin credentials)
    • goto: owaspbwa.com/peruggia
    • action: Log in to admin (admin/admin), view the account tab and add a new user foo. Re-log in as user (user/user)
    • description: Without proper authorization, a regular user could act as an admin
    • exploit: Append index.php?action=account&deleteuser=someoneiwanttodelete to the end of the url
  2. View “your uploads” of other people
    • goto: owaspbwa.com/wackopacko
    • action: Log in to a user (bryce/bryce) and click the link “view your uploaded pics”
    • description: The action describes the intended use of the functionality. However look in the url, the only thing making sure you are viewing your pictures is the id. What if you changed that id?
    • exploit: Modify userid to a different value to see someone else’s uploaded images

Direct Object Reference

  1. View any user like they were your friend.
    • goto: owaspbwa.com/AppSensorDemo/home.jsp
    • action: Log in and view some on your friends
    • description: An account may only be friends with 20 or so other users. They don’t have direct links to users who aren’t friends, so that user can’t see non-friends right? Wrong. Each user is directly referenced by their ID
    • exploit: Change the ID in the URL to any number you like, most likely you won’t find a user because it’s random, but if you wrote a script, it could iterate through all the IDs and find every user

Feel free to add a comment below if you find another exploit I didn’t include. I’d be happy to add it to the post if you follow the format bellow!

  • goto:
  • action:
  • description:
  • exploit:

Installing BWA (Broken Web App)

OWASP BWA is a safe place to practice some fun stuff and is basically a collection of applications to test everything security related. OWASP has a few projects like Web Goat, Security Shepard, and more. Broken Web Apps is a collection of these guides and some outdated apps to test your developing skills.

Install All The Things!

In order to set things up, it’s important to have everything you need installed. While you don’t need Kali to execute some web exploits,  it is useful because of all the tools at your disposal. You do however need VirtualBox or VMware player to host the VM. If you haven’t set up a VM before, I suggest you use the VirtualBox and the .osa files. The rest of the guide will assume you want to use VirtualBox.

Extract Kali Files

For a mac, go to the app store and download The Unarchiver, a free app to extract 7zip files. Windows can download the 7-zip program and extract using that. On gentoo you can use p7zip, a command line 7zip tool. it’s apparently in the debian repos. extract with 7z x archive_you_want_to_extract.7z from a terminal.

Setting it up (For VirtualBox)

Once everything is installed, run VirtualBox, and click File > Import Application. You will choose the files that you just downloaded from the links above. The default settings that come from the app should appear and you can click ok.

BWA Virtual Machine
Once the VM is fully installed. VirtualBox should look like this.

After you see a new Virtual Machine available, you’ll want to check and make sure it you can access it from either your Kali VM or your actual machine. To do this you can set up either a NAT network or a Host-only Adapter for the VM. I choose to do Host-only but either will work as long as you configure it correctly. Go to File > Preferences. On the left sidebar click Network. There you’ll see tabs for NAT and Host-only. Pick one, there will be three buttons on the right, click the one with the + icon. That will add a new network for your VM to use. Hit OK to go back to the main page of the app.

Network Settings
Add a new NAT network or Host-only network to VirtualBox

Go to your VM’s setting by clicking to select it, then hit the big settings button above it. Go to Networks, then select the network type you just made and be sure the network is correct then hit ok for everything.

VM network settings
Change the network settings for the BWA VM

Start up the BWA

Run the VM! This should go without a hitch, the VM should start up in a new window, as it does it should display a lot of lines as it’s starting but once it’s ready to log in you can use the user: root and passwd: owaspbwa. This is the default user and password for all the administrative accounts across the VM. As you log in, the entrance text should say what the IP address is for the VM. On your actual machine, open a web browser and try to go to that site by typing the ip address into the URL, like http://192.XXX.XXX.XXX

To make it easier for future use, you can edit the hosts file on your main computer to accept a url instead of an IP address. On linux or a mac, open a terminal and write sudo nano /etc/hosts and add the line 192.XXX.XXX.XXX        owaspbwa.com. That’s a tab between the IP Address and the url. The URL can be whatever you want if you don’t like owaspbwa.com. Change the IP Address in the browser and replace it with the new url. If that doesn’t work, try restarting the browser and try again.

BWA homepage
This is the first page of the OWASP BWA project