This is a SERIES of blog posts, which will all relate to one another, but will take time.
I'm publishing as I go, but will come back and edit them in places at a later date - as well as adding in videos.
Best to check back when there is the "Undocumented" Bugs/Vulnerabilities post (that will be the last post!) ;-).
The following posts will demonstrate various environments, scenarios and setups. This will cover a mixture of Operating Systems (Linux & Windows), range of web servers (Apache, Nginx & IIS), different versions of PHP (v5.4 & v5.6), databases (MySQL & MariaDB) as well as user permissions (inside the services and also the ones running services on the OS itself). DVWA also comes with a (outdated) Web Application Firewall (WAF) called PHP-IDS, which also has its own issues with! Lastly, there are "undocumented" vulnerabilities with DVWA's core which are either hidden bugs and/or unintended issues...
Note: This list will be updated with links, over the next few weeks - once they have been published!
- Login - HTTP POST form brute force with CSRF token
- Brute Force
- Command Injection (RCE)
- Low - Remote Code Execution
Medium (Bypassing blacklist patterns)High (Bypassing more blacklist filters)ImpossiblePHPIDS (WAF)
Cross-Site Request Forgery (CSRF)Low (CSRF)Medium (Referer header check. Links with XSS module)High (Anti-CSRF token used. Links with XSS module)ImpossiblePHPIDS (WAF)
File Inclusion (LFI/RFI)Low (LFI & RFI)Medium (Blacklisting patterns)High (Whitelisting with wildcards)ImpossiblePHPIDS (WAF)
File Upload (FU)Low (File Upload)Medium (Spoofed upload type)High (Merged image. Links with LFI module)ImpossiblePHPIDS (WAF)
Insecure CAPTCHALow (CAPTCHA bypass)Medium (CAPTCHA bypass by using an extra field)High (Hardcoded/debug values)ImpossiblePHPIDS (WAF)
SQL Injection (SQLi)Low (SQLi)Medium (mysql_real_escape_stringbypass - unable to use single/double quotes. POST requests in a dropdown menu)High (SQLi in SESSION carried over from another page)ImpossiblePHPIDS (WAF)
SQL Injection (SQLi) BlindLow (SQLi)Medium (mysql_real_escape_stringbypass - unable to use single/double quotes. POST requests in a dropdown menu)High (SQLi in cookie value)ImpossiblePHPIDS (WAF)
Cross Site Scripting (XSS) ReflectedLow (XSS)Medium (XSS filter to remove<script>)High (XSS filter to remove<*s*c*r*i*p*t)ImpossiblePHPIDS (WAF)Phishing
Cross Site Scripting (XSS) StoredLow (XSS)Medium (XSS filter to remove<script>. Limited input size)High (XSS filter to remove<*s*c*r*i*p*t. Limited input size)ImpossiblePHPIDS (WAF)Phishing
"Undocumented" Vulnerabilities- Login (HTTP POST form brute force with CSRF token)
CoreLFIXSS
Brute Force & SQLiFile Inclusion (LFI/RFI) & XSS
Targets
Going to use a mixture of targets:
- 4x Operating Systems (Arch Linux, Raspbian Jessie, Windows Server 2012 & Windows XP)
- 2x Apaches (One Windows & One Linux)
- 2x Windows (One Apache & One IIS)
- 2x Linux (One Apache & One Nginx)
- 2x Raspberry Pis "B" (One v1 & One v2)
- 2x Virtual Machines
192.168.1.11 (aka: ArchPi)
- Machine: Raspberry Pi v1 "B"
- Web Server: Nginx v1.8.0 (as "httpd")
- Server Side Scripting: PHP v5.6.14
- Database: MariaDB v10.0.21
- OS: Arch Linux 2015.10.01 / Linux archpi 4.1.9-1-ARCH #1 PREEMPT Thu Oct 1 19:15:46 MDT 2015 armv6l GNU/Linux
192.168.1.22 (Aka: Raspbian)
- Machine: **Raspberry Pi v2 "B"
- Web Server: Apache v2.4.10 (as "www-data")
- Server Side Scripting: PHP v5.6.13
- Database: MySQL v5.5.44
- OS: Raspbian Jessie September 2015 / Linux raspberrypi 4.1.7-v7+ #817 SMP PREEMPT Sat Sep 19 15:32:00 BST 2015 armv7l GNU/Linux
192.168.1.33 (aka: XAMPP)
- Machine: VM - 512MB / 1 CPU
- Web Server: Apache v2.4.10 (as "SYSTEM")
- Server Side Scripting: PHP v5.4.31 (
display_errorsenabled by default) - Database: MySQL v5.5.39
- OS: Windows XP Professional SP3 ENG x86 (Using XAMPP v1.8.2 package)
192.168.1.44 (aka: IIS)
- Machine: VM - 2GB / 1 CPU
- Web Server: IIS v8.0 (as "NT AUTHORITY\IUSR")
- Server Side Scripting: PHP v5.6.0
- Database: MySQL v5.5.45
- OS: Windows Server 2012 ENG x64