Web App Security Assignment : Lab Report 1 Victor Bauer Table of content Part A : Password attack using BurpSuite ........................................................................................................................... 3 Part B : Username Enumeration against Mutillidae ........................................................................................................... 4 Find the differences : ...................................................................................................................................................... 4 Part C : SQL Injection against Mutillidae............................................................................................................................. 6 Using sqlMap :................................................................................................................................................................. 6 Part D : Reflected and Stored XSS ....................................................................................................................................... 7 Stored XSS : ..................................................................................................................................................................... 7 Reflected XSS : ................................................................................................................................................................ 8 Part E : Session Token randomness .................................................................................................................................... 9 Security : High ................................................................................................................................................................. 9 Security : Medium ......................................................................................................................................................... 10 Security : Low ................................................................................................................................................................ 11 Part F : Badstore................................................................................................................................................................ 12 Question 1 : ................................................................................................................................................................... 12 Question 2 : ................................................................................................................................................................... 12 Question 3 : ................................................................................................................................................................... 13 Question 4 : ................................................................................................................................................................... 14 Question 5 : ................................................................................................................................................................... 14 Question 6 : ................................................................................................................................................................... 15 Question 7 & 8 : ............................................................................................................................................................ 15 Question 9 : ................................................................................................................................................................... 16 Part G : ZAP ....................................................................................................................................................................... 17 Part H: w3af ...................................................................................................................................................................... 18 Part A : Password attack using BurpSuite Here I the username “ test “ and the password “ test “ to Bryce and a list of password using BurpSuite. The list of password I used is in the Samurai list of password penetration. Bryce’s password is “password”, as we can see below, when the status of the answer is 302. Part B : Username Enumeration against Mutillidae Find the differences : Here we can see the difference of a false credentials login request, on the left, and a correct one. The good one answer a 302 Found status. Now I’ll brute force the login and the password to find the matching one, with 302 status. There are a lot of possibilities here, so the manipulation take a very long time to process with the free version of burp suite. I can show you the result of a know username&password couple as below . Bryce+password result by a 302 response status. So the username and the password matched. Part C : SQL Injection against Mutillidae Using sqlMap : So I launch sqlMap against Mutillidae, I found 8 bases, I explored a bit deeper the dvwa base which contain a guestbook and a users table Part D : Reflected and Stored XSS Stored XSS : We can spot the stored xss by adding a comment or something that is stored and viewed by the user again. Here we can store a comment We can see that my script alert popup and show my message when the comment appear on the screen. That’s a very gentle stored xss, and will be processed by the brower every time the user goes to the page where the script is stored and printed Reflected XSS : Reflected xss works when an input is directly viewed by the user, so I write the same code, a script alert in the input, like below And here is the result when I submit it. My message is directly viewed by the user. It will only be processed one time, because it’s not stored like we saw previously. This type of xss is also in the link of the page. This is how we can discover xss. Part E : Session Token randomness Security : High Security : Medium Security : Low Any of those statistisc are very relevant, even if I made a large amount of test (at least 6000 tokens ). Part F : Badstore Question 1 : The name of the hidden field that establishes the privilege of the user is : “role” and it’s values are “U”,”A”,”S”. U for User, A for Admin, S for Supplier. Question 2 : In order to discover the number of item in the database, I had to find the name of the database : badstoredb And after many try in the search bar, this sql select show me the number of items in the table : ' or 1=1 union select count(*),null,null,null from itemdb/* which is 16 Question 3 : A supplier can upload and view a price list to Badstore. In order to have a Supplier account, I changed the role field in the register form, from “U” to “S” and then I logged in with this account. Question 4 : The different answers are : 5500 0000 0000 0004 or 4111 1111 1111 1111 I reset the password of joe because I have his mail address, I just tested the colour of reset password from. Then I logged in as joe. Question 5 : The 2 people are : Landon and Fred. I logged as administrator as before, using the role field with an “A” instead of “U”. Question 6 : Here we can see both of the cookie. SSOID and CART token. Question 7 & 8 : The randomness of the ssoid isn’t strong at all. All user has It’s own token, for all the request and connection he will have. So it can be spoofed and the session usurped if you get the cookie. Question 9 : The token of the cart hasn’t any randomness neither. The first part of the token is the time until 1970 in second, after that, the number of purchase, after the price of all the purchase, and then all de purchase separately, each separated By a :. Part G : ZAP First part of ZAP, spidering the site. Now it search for issues as the screenshot show. Part H: w3af Here for w3af, I select the sqlI and the blind sqlI option to discover. Then I start the search. There is a 4 results here, as described in the screenshot below.