You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Yet another vulnerable webserver (to teach XSS/SQLi/command injection).
Nils Ole Tippenhauer, SUTD, 2017
Written using Python3, flask, and sqlite3 library
Relatively small code base should allow students to understand what is going on, and possibly fix vulnerabilities
Most vulnerabilities had to be manually enabled, as flask prevents them by default.
Not much error handling, running in debug mode to allow students to see where things break
Disclaimer: you should never make this server accessible to anyone except localhost. Even then, be aware it allows arbitrary command injection.
The following are example questions I give my students in our exercise
Part 1: SQL Injection
We distribute a yavw.py server script, run it with python3 locally to test out your exploits
After starting the server locally, go to http://localhost:5000 to be greeted by a login page. Alice’s email is [email protected], but what is the password?
Based on the example attacks from the class, find a way to log in as Alice!
Part 2: Cross-Site Scripting
Note: restarting the webserver will refresh the SQL database
Persistent attack
Log in as Alice again, and check the different options the website gives you. Can you use one of them to conduct a persistent XSS attack?
Your goal is to inject some code on a page that the admin user will look at
Your injected code (HTML or .js) should make the admin disclose his cookie to you
In particular, assume that the admin sees a list of all news when he logs in
Find a way to inject a simple XSS string into the database
Exploit this to obtain the session cookie of the victim! By using that session ID, you could take over an existing session the victim has with the website
Update your XSS to trick the admin’s browser to do an HTTP GET to a URL of the attacker’s choice
Make the admin visit http://localhost:5000/news?text=<adminsession>
This will create a public news entry with the admin’s session
After injecting your XSS string, login as admin user to test that the injection works. Use the second password from the secrets file
Logout after displaying the main site, login as alice again (using the password, or the SQL injection)
You should now be able to see the news item!
Non-persistent attack
Look for a way to temporarily inject code via a specifically crafted URL
Exploit this to obtain the session of the victim (again)
Lets assume the admin is logged into the site when clicking on the link
Clicking the link should make the admin visit the localhost
webserver with a specific URL, which then causes admin’s browser
to issue a HTTP GET to http://localhost:5000/news?text=<adminsession>
Craft the URL, login as admin user, then visit the XSS URL you designed
Admin’s session should again be leaked as news item
Note: it might seem a bit redundant to do a non-persistent XSS
attack to make the attacker visit the news URL. Try putting
the javascript exploit code into a simple html file, and visit
it with your browser. Does it still work, without being injected into the page? why not?
We had to manually enable XSS attacks in our templates, can you spot where? Can you fix all XSS vulnerabilities you found?
Part 3: Command Injection
Listing secret file
This time, we will not inject any JavaScript.
Find a way to execute a shell command on the server by using one of the provided input fields
Can you exploit this vulnerability to get the content of a local file, e.g. list the file “secret”?
Opening a reverse shell
This time, we will try to get a local shell on the target server!
A “reverse shell” is a program started on the victim machine, that connects to the attacker (to pass through firewalls and similar).
We need two parts for this: a program waiting on your machine to accept incoming connections
Use something similar to nc -l -p 8080 -vvv on your machine to open a listener waiting on port 8080
When the victim connects, you should be able to type commands, which will be executed on the victim’s machine
We also need a suitable command to run on the webserver (in this case, also localhost) to connect a shell to your machine