Web app testing basics

exercises
Ethical Hacking lab exercise.

Note that Information contained in this document is for educational purposes.

.
+ Contents
1 The environment.................................................................................................................................1
2 Running the web app virtual machine.................................................................................................2
2.1 Examining the structure of the virtual machine...........................................................................3
2.1.1 Menu: - Main Training Applications....................................................................................3
2.1.2 Menu: - Examine the virtual machine..................................................................................3
2.1.3 Menu: Realistic Web Apps...................................................................................................4
2.1.4 Menu: Others.......................................................................................................................4
2.2 Examining the main applications.................................................................................................4
2.2.1 Damn Vulnerable Web App “DVWA”...................................................................................5
2.2.2 Mutillidae.............................................................................................................................8
2.2.3 bWAPP.................................................................................................................................9
2.3 Examining the databases...........................................................................................................10
2.4 Examining the entire owasp bwa virtual machine.....................................................................11
2.5 KALI LINUX.................................................................................................................................12
2.5.1 Configuring OWASP ZAP Web proxy..................................................................................12
Appendices................................................................................................................................................16
Appendix A............................................................................................................................................16

MANTRA

.
 1 THE ENVIRONMENT
The following exercises are to familiarise you with the environment in the hacking lab and also the range
of tools (and their platforms) that are available for learning and testing web application security.

The system will be set up so that there are several vulnerable web server virtual machines (named Bee-
Box, OWASP Broken Web Apps, Badstore and a Windows Web App). There will also be two attacking
machines i.e. your main Windows 7 desktop and Kali linux.

 Run VMWARE from the Desktop

 Any virtual machines to be used will be in the Web App testing Virtual Machines folder. There
will normally only be one.

The Network Adapter for the setting is set to VMNET 1. This is a virtual network adapter that is set for
Host-Only.

 The IP address for the Virtual Adapter VMNET1 has been set to 192.168.1.200. This can be
checked by running a command prompt in from your main Windows 7 desktop and ipconfig
/all. This is the IP address of your main Windows desktop.

1|Page
 2 RUNNING THE WEB APP VIRTUAL MACHINE
To ensure that configuration errors are kep to a minimum, a Virtual Machine snapshot named “Booted”
has been created for the virtual machine. To revert to the snapshot, use right-click and Revert to
Snapshot: Booted choose as shown below: -

2|Page
2.1 EXAMINING THE STRUCTURE OF THE VIRTUAL MACHINE.
The OWASP broken web app virtual machine is pre-installed with a number of deliberately vulnerable
applications. This virtual machine is a copy of this but has been adapted to include other applications.

Note: - For the OWASP Broken Web Apps virtual machine : -

Username root Password owaspbwa

 In Firefox, browse to http://192.168.1.100

The front page main menu has been divided into sections: -

2.1.1 Menu: - Main Training Applications

These are the usual applications that will be examined in class. These applications have vulnerabilities
that are classified meaning that we can concentrate on individual flaws.

2.1.2 Menu: - Examine the virtual machine

These applications will allow us to quickly examine the server side of the web application. There are
other methods which will be described below.

3|Page
2.1.3 Menu: Realistic Web Apps
These are deliberately vulnerable web applications that look realistic.

2.1.4 Menu: Others

This menu includes the full menu for OWASP BWA and anything else of interest.

2.2 EXAMINING THE MAIN APPLICATIONS

In this section, we will examine how to access each of the main training applications from a browser on
your main desktop and then we will also look at the PHP code on the server. The main applications we
will be using are :-

1. DVWA.
2. Mutillidae
3. bWAPP
4. SQLi Labs (Advanced SQL Injection).

For each section, choose the appropriate menu item from the main web page at 192.168.1.100.

4|Page
2.2.1 Damn Vulnerable Web App “DVWA”
This excellent application was developed by Ryan Dewhurst (an ethical hacking graduate from
Northumbria University). The application has been developed to illustrate common PHP web application
vulnerabilities and their solutions.

 The username is admin and has a password of password

 Examine the DVWA environment.

 Note the DVWA Security Menu, where security level can be set. It may be set
Low/Medium/High. This simulates different skill/awareness of web coders.

 Set it to Low initially.

As we use, test and break this application, we can examine the PHP code that is running on the virtual
machine.

We can easily browse using the menu from the main web page to
http://192.168.1.100/filemanager/filemanager.php

 Browse to the dvwa folder,

 To examine the code for each of the menu options, open the folder Vulnerabilities.

5|Page
 The first menu item in DVWA is Brute Force. Open the Folder “brute” and examine the source
folder.
 The PHP code that runs for the settings HIGH, MEDIUM and LOW can be examined.

 There is also a command button at the bottom of each page of the DVWA application (as
shown below). This more easily shows the source code as we test the application.

 Also note that some exercises involve modifying or destroying data.The database can be reset
back to the default using the Setup menu.

6|Page
2.2.1.1 Using winscp to transfer files.
WinSCP is a Windows application that allows us to view and transfer files on a linux machine.
 Run WinSCP from the Windows menu.

 Select a New session and connect (root/owaspbwa)

 Have a look around the file system and note that there should be a link to the web root
(/var/www).

7|Page
2.2.2 Mutillidae
Mutillidae is a free, open source PHP web application, similar to DVWA in that it is deliberately
vulnerable and also illustrates how the PHP code should be written.

 From the main machine, use Firefox Bookmarks or browse to http://192.168.1.100/mutillidae/

 Register a user called hacklab (password hacklab).

 Then from the main menu, log in using this account.

 Similar to DVWA, the Security Level will go toggle between 0, 1 and 5.

The php code can be examined on the virtual machine, showing the effect of this value.

 Examine a php file in /var/www/mutillidae and you should see a series of “select case” type
statements at the top.

 In the Web Application, hints can also be toggled.

8|Page
Note that the database can also be reset back to default. This is useful if we delete or alter user data in
the future.

2.2.3 bWAPP
This relatively new application groups the vulnerabilities extremely well.

 Use Firefox bookmarks or browse to http://192.168.1.100/bWAPP/login.php

 Login with a username of bee and a password of bug.

 Examine the menus.

 Examine the folder /var/www/bWAPP and examine the PHP code.

Note that bWAPP also uses Switch/Case statements for the security levels. The main website for bWAPP
is : - http://www.itsecgames.com. The Blog is excellent and has several tutorials related to bWAPP.
http://itsecgames.blogspot.co.uk/

9|Page
2.3 EXAMINING THE DATABASES.
Many of the applications on the virtual machine use "AMP" i.e. Apache Web Server, MySQL and PHP.
Each of the applications access databases using MySQL. These can easily be managed using
phpmyAdmin from the main web page.

 Browse to http://192.168.1.100 then to http://192.168.1.100/phpmyadmin/

 Log in as root/owaspbwa.

The databases for each of the applications can be viewed and manipulated.

 Examine the system and the databases.

10 | P a g e
2.4 EXAMINING THE ENTIRE OWASP BWA VIRTUAL MACHINE.
The OWASP “Broken Web Applications” virtual machine has a lot of different web applications installed.

From http://192.168.1.100/, select the

 Browse the rest of the applications by clicking on the following image at the bottom of the page.

11 | P a g e
2.5 KALI LINUX
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing
and has been installed under VMware on these machines.

 Run the Kal virtual machine (By reverting to the snapshot Booted)

 Examine the menus related to Web Application Analysis.

2.5.1 Configuring OWASP ZAP Web proxy

OWASP proxy is a free and open source MITM proxy software. It allows viewing of HTTP and HTTPS and
allows information to be intercepted and altered. Most Proxies are very similar to setup.

 Run OWASP ZAP from the Web Application Analysis menu in Kali (it can be slow to run
the first time).

 Select the first option for persistence.

12 | P a g e
  Paros proxy listens on port 8080. We must configure our Browser to send the traffic to
this port.

 Run Dolphin web browser (this can be run from the first icon from the left hand menu).

Now we can tell the Browser to send the traffic to localhost| Port 8080

 You may have to enable the Menu Bar (right-click on the bar at the top).

 Then Select Edit and Preferences.

Then Advanced, Network

13 | P a g e
  Enter the proxy and also make sure that No proxy is blanked out.

You should be able browse to a website on a virtual machine. The information should be captured in
OWASP ZAP (as shown below).

14 | P a g e
  All requests and responses should also be captured.

2.6 OWASP MANTRA

OWASP Mantra is a core Firefox web browser that has many useful plugins installed. Make sure that
you close any Firefox windows before starting it.

Run Mantra from the desktop folder.

15 | P a g e
 Examine the Tools Menu (especially the Application Auditing submenu).
o Examine the use of Tamperdata and LiveHTTP Headers

16 | P a g e
 APPENDICES
APPENDIX A
The “Open Web Application Security Project” is a series of open-source web application security
projects. The OWASP community includes corporations, educational organisations, and individuals from
around the world. It is a very large website with many different projects & lots of information on both
attacking and defending web applications.

You should be aware of OWASP and they should also consult this site as the primary reference.

Examine the following pages: -

OWASP Website

 https://www.owasp.org/index.php/Main_Page

OWASP Top 10.

 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Fixing the flaws.

 https://www.owasp.org/index.php/Cheat_Sheets

OWASP Projects page (A lot of work going on).

 https://www.owasp.org/index.php/Category:OWASP_Project

17 | P a g e