VAPT PROJECT DVWA2

Web Application Penetration Testing

Report

Confidential

Date:19 May 2021

Version: 1.0

Project: test Company

This document contains information that is confidential and

proprietary, which shall not be disclosed outside Client A,

transmitted, or duplicated, used in whole or in part for any purpose

other than its intended purpose. Any use or disclosure in whole or

in part of this information without explicit written permission of

Client A is prohibited. Cybereaon makes no warranty that the

information contained in this document is complete or error free.

This report is solely for the information of Client A and Client A

management and should not be used, circulated, quoted or otherwise

referred to for any other purpose, nor included or referred to in whole

or in part in any document without our prior written consent

The specific IP addresses / Domain were identified by Client A. Our

subsequent test work, study of issues in detail and developing action

plans are directed towards the issues identified. Consequently, this

report may not necessarily comment on all the weaknesses perceived

as important by the Client A and / or Client A management.

CONFIDENTIALITY & PROPRIETARY

The issues identified and proposed action plans in this report are
based on our testing. We made specific efforts to verify the

accuracy and authenticity of the information gathered only in

those cases where it was felt necessary.

The identification of the issues in the report is mainly based on

the tests carried out during the limited time for conducting such

an exercise. As the basis of selecting the most appropriate

weaknesses / vulnerabilities is purely judgmental in view of the

time available, the outcome of the analysis may not be

exhaustive and representing all possibilities, though we have

taken reasonable care to cover the major eventualities.

The vulnerabilities reported in this reported are valid as of Jan 1,

2021. Any vulnerability, which may have been discovered after

this or any exploit been made available after May 9, 2020, does

not come under the purview of this report.

Any configuration changes or software/hardware updates made on

hosts/machines on the application covered in this test after the

date mentioned herein may impact the security posture either

positively or negatively and hence invalidates the claims &

observations in this report. Whenever there is an update on the

application, we recommend that you conduct penetration test to

ensure that your security posture is compliant with your security

policies.

REPORT ANALYSIS

TABLE OF CONTENT

EXECUTIVE SUMMARY | 1
Background

Application Health

Observations

Recommendations

SCAN DETAILS | 2

THREAT DISTRIBUTION | 2

THREAT ANALYSIS – BY INSTANCE COUNT AND CVSS |

2THREAT ANALYSIS – BY SEVERITY LEVEL |

2VULNERABILITIES & RECOMMENDATIONS | 3

1. SQL Injection | 3

2. Reflected Cross Site Scripting | 9

3. Lack of password brute force prevention | 13

4. Information leakage through HTTP response headers | 14

BACKGROUND

On Dec 1 2020, Client A engaged Cybereaon to perform a security assessment of

their Damn Vulnerable Web Application (DVWA) in an effort to ensure the

security of their customer's personal information, which is processed and stored

by the DVWA application.

APPLICATION HEALTH

Vulnerabilities in DVWA Web Application

OBSERVATIONS

During the course of this engagement we observed several areas of concern

that we believe could pose a significant risk to the security of the application

and should be addressed in a timely manner. Exploiting these vulnerabilities an

attacker can retrieve any data from the database which includes sensitive
customer data or take over other user's account.

IMMEDIATE ACTIONABLE RECOMMENDATIONS

Validate all user inputs based on a whitelisting approach.

Perform output encoding of all user supplied inputs which are

reflected back in HTML response.

Add CAPTCHA to the login page after three failed login attempts.

01

EXECUTIVE

SUMMARY

HIGH

SCAN DETAILS

Start Date 5th May, 2020

Finish Date 9th May, 2020

Scan Time 5 Days

Server Technology PHP

URL https://hack.me/101047/dvwa-107.html

Credentials User: admin Role: Administrator

Scope Black-Box

THREAT DISTRIBUTION

SEVERITY LEVEL COLOR INDICATOR CVSS CATEGORY

HIGH RED 7.00-10.00

MEDIUM ORANGE 4.00-6.69

LOW GREEN 0.01-3.99

BY INSTANCE COUNT AND CVSS

INSTANCE COUNT
1111

SQL Injection Lack of password

brute force prevention

Reflected Cross

Site Scripting

Information leakage

through HTTP response

headers

THREAT ANALYSIS

BY SEVERITY LEVEL

HIGH MEDIUM LOW

SQL Injection Lack of password brute

force prevention

Fingerprint Web

Server

Reflected Cross

Site Scripting

02

8.6 6.9 4.9 1.0

THREAT ANALYSIS

1 SQL INJECTION

Relative Risk

Vulnerability Class

CVSS

URL
Parameter

High

8.6 (AV:N/AC:L/Au:S/C:P/I:P/A:C/E:H/RL:W/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M)

https://hack.me/101047/dvwa-107.htmlvulnerabilities/sqli/index.php

id

OBSERVATION

DVWA web application does not validate a user input which is then consumed inside

SQL queries. This allows an attacker to provide an input containing SQL statements

to modify the output in a way to retrieve desired data from the database. This

vulnerability in the application is termed as SQL injection. With this vulnerability, an

attacker can dump entire data from the database which the current database user

has privileges to access to.

EXHIBITS

Login to the web application with admin user account.

03

Navigate to https://hack.me/101047/dvwa-107.html/vulnerabilities/ sqli/index.php

and search for user id 1' as shown in the below screenshot.

You will notice following SQL error message,

This error indicates that the user input is consumed to form dynamic SQL strings.

With this knowledge, Cybereaon analysts were able to retrieve arbitrary data from

the database

04

You have an error in your SQL syntax; check the manual that corresponds

to your MySQL server version for the right syntax to use near '\'' at line

1
Following payload will extract database version and the database name

Following sample data is retrieved from the database using the

above mentioned approach

DATABASE INFORMATIONS:

05

Current user

1 and 1=1 union all select @@version,database() from information_schema.tables# ,

Database Name

USER INFORMATION

Note: Password hashes are partially masked for the security reason.

06

An attacker can dump entire data from the database that is available to the privilege of current

database user. User credentials dumped can further be misused to gain unauthorized access to

other user's account. A user only privilege account can be used to conduct this attack in order

to gain admin privilege access.

RECOMMENDATION

Username Password

IMPACT

2 REFLECTED CROSS SITE SCRIPTING

Relative Risk

Vulnerability Class

CVSS

URL

Parameter

Medium
6.9 (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:W/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M)

https://hack.me/101047/dvwa-107.html /vulnerabilities/xss_r

name

OBSERVATION

The DVWA web application for mobile does not perform output encoding of

special characters to prevent Cross Site Scripting vulnerabilities. In one instance

user supplied input containing special characters such as <, >, ', /, etc. is echoed

back in HTML response without any output encoding performed. This allows an

attacker to input malicious JavaScript which can steal victim's cookie, redirect

them to other malicious website, etc.

EXHIBITS

Step 1

Navigate to http://hack.me/ vulnerabilities/xss_r.

07

Navigate tohttp://hack.me/vulnerabilities/xss_r

You will notice following SQL error message,

08

<iframe onload="alert(document.location)">

A dialog box with current URL value will be shown as a result of our payload

09

10

IMPACT

Reflected Cross Site Scripting is relatively complex to exploit as the malicious payload has to be

send as a part of URL and user should be tricked to visit that URL. However, it has the same impact

as that of a persistent XSS. In DVWA application, XSS can be used to hijack victim's session and
thereby gaining complete access to his/her user account. Additionally, it can be used to redirect

victim to a malicious website which may contain browser exploits or a phishing page.

RECOMMENDATION

3 LACK OF PASSWORD BRUTE FORCE PREVENTION

Relative Risk

Vulnerability Class

CVSS

URL

Parameter

Medium

4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:W/RC:C/CDP:LM/TD:M/CR:M/IR:M/AR:M)

http://hack.me/login.php

password

OBSERVATION

The DVWA application does not lockout a user account or provides CAPTCHA

when 'n' failed login attempts is made. Cybereaon analysts tried with a threshold

of 15 failed login attempts during which account neither locked out or a

CAPTCHA was provided.

EXHIBITS

Step 1

Navigate to the login page of http://s28280-101047-qho.sipontum.

hack.me and provide an invald username and password.

Step 2

Repeat step 1 multiple times. You will notice that application will

neither provide any CAPTCHA to the user or will block victim user's
account.

Step 3

Use a valid password and the application will redirect you to

the account details rather than displaying an error message

indicating that the account is locked out

11

12

IMPACT

An attacker can use brute force attack to guess valid password for an account. In a brute force attack,

automated software is used to generate a large number of consecutive guesses as to the value of

the desired data. Another form of brute force attack known as a dictionary attack might try all the

words in a dictionary to guess the user password. Moreover, due to the failure of strong password

policy control, this vulnerability is relatively easy to exploit.

Password brute force attacks can be prevented by providing user with a strong CAPTCHA

value upon 3 failed attempts. Additionally, blocking IP address or temporary account

lockout can be implemented after 15 failed attempts. The later method can also be

misused by an attacker to lock multiple user accounts and thereby creating a denial of

service like situation.

References: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

RECOMMENDATION

4 INFORMATION LEAKAGE THROUGH HTTP RESPONSE HEADERS

Relative Risk

Vulnerability Class

CVSS

URL
Parameter

Low

1.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C/CDP:N/TD:L/CR:M/IR:M/AR:M)

http://hack.me/

Not Applicable

OBSERVATION

The web server hosting DVWA application is misconfigured due to which application

server version is exposed to end users.

EXHIBITS

Step 1

Request any web page of the application and observe the response

headers through BURP suite as shown below,.

13

14

IMPACT

Attacker can know the version of the PHP running on the web server by the header and

can search for the known vulnerabilities of PHP 5.4.23 for further exploitation.

There is no direct impact to business with this vulnerability but falls under security best

practices.

RECOMMENDATION