yavw

• Yet another vulnerable webserver (to teach XSS/SQLi/command injection).
• Nils Ole Tippenhauer, SUTD, 2017
• Written using Python3, flask, and sqlite3 library
• Relatively small code base should allow students to understand what is going on, and possibly fix vulnerabilities
• Most vulnerabilities had to be manually enabled, as flask prevents them by default.
• Not much error handling, running in debug mode to allow students to see where things break
• Disclaimer: you should never make this server accessible to anyone except localhost. Even then, be aware it allows arbitrary command injection.
• The following are example questions I give my students in our exercise

Part 1: SQL Injection

• We distribute a yavw.py server script, run it with python3 locally to test out your exploits
• After starting the server locally, go to http://localhost:5000 to be greeted by a login page. Alice’s email is [email protected], but what is the password?
• Based on the example attacks from the class, find a way to log in as Alice!

Part 2: Cross-Site Scripting

• Note: restarting the webserver will refresh the SQL database

Persistent attack

• Log in as Alice again, and check the different options the website gives you. Can you use one of them to conduct a persistent XSS attack?
  • Your goal is to inject some code on a page that the admin user will look at
  • Your injected code (HTML or .js) should make the admin disclose his cookie to you
  • In particular, assume that the admin sees a list of all news when he logs in
• Find a way to inject a simple XSS string into the database
• Exploit this to obtain the session cookie of the victim! By using that session ID, you could take over an existing session the victim has with the website
  • Update your XSS to trick the admin’s browser to do an HTTP GET to a URL of the attacker’s choice
  • Make the admin visit http://localhost:5000/news?text=<adminsession>
  • This will create a public news entry with the admin’s session
• After injecting your XSS string, login as admin user to test that the injection works. Use the second password from the secrets file
  • Logout after displaying the main site, login as alice again (using the password, or the SQL injection)
  • You should now be able to see the news item!

Non-persistent attack

• Look for a way to temporarily inject code via a specifically crafted URL
• Exploit this to obtain the session of the victim (again)
  • Lets assume the admin is logged into the site when clicking on the link
  • Clicking the link should make the admin visit the localhost webserver with a specific URL, which then causes admin’s browser to issue a HTTP GET to http://localhost:5000/news?text=<adminsession>
  • Craft the URL, login as admin user, then visit the XSS URL you designed
  • Admin’s session should again be leaked as news item
  • Note: it might seem a bit redundant to do a non-persistent XSS attack to make the attacker visit the news URL. Try putting the javascript exploit code into a simple html file, and visit it with your browser. Does it still work, without being injected into the page? why not?
• We had to manually enable XSS attacks in our templates, can you spot where? Can you fix all XSS vulnerabilities you found?

Part 3: Command Injection

Listing secret file

• This time, we will not inject any JavaScript.
• Find a way to execute a shell command on the server by using one of the provided input fields
• Can you exploit this vulnerability to get the content of a local file, e.g. list the file “secret”?

Opening a reverse shell

• This time, we will try to get a local shell on the target server!
• A “reverse shell” is a program started on the victim machine, that connects to the attacker (to pass through firewalls and similar).
• We need two parts for this: a program waiting on your machine to accept incoming connections
  • Use something similar to nc -l -p 8080 -vvv on your machine to open a listener waiting on port 8080
  • When the victim connects, you should be able to type commands, which will be executed on the victim’s machine
• We also need a suitable command to run on the webserver (in this case, also localhost) to connect a shell to your machine
  • Hint: have a look at http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
• Inject that command similar to your previous command - Easy!?