LAB10

/ #computer science homework help, #LAB10


Burp Suite to Hack a Vulnerable Web Service

Introduction

Application security penetration testing is a black-box testing method. It is one of the effective ways to secure a web application.  In this lab, you will “pentest” a vulnerable web application (DVWS) that is installed on a Linux Virtual Machine. You will use Burp Suite in your pentest and launch a NoSQL injection attack against MongoDB.

Burp Suite is an integrated platform to test web applications from initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities (https://portswigger.net/burp/communitydownload).

DVWS stands for Damn Vulnerable Web Service. It contains many web vulnerabilities; you can find the updated list on https://github.com/snoopysecurity/dvws-node.

Instructions

Part 1: Launching DVWS

 

  1. Type in “isecstudent” without quotes as the password to log in to Ubuntu.

 

This virtual machine has two docker containers in the “Exited” state. One of the containers is for MySQL database service; the other container is for MongoDB database service.  MySQL has been used to store credentials that have been used to log in to DVWS. MongoDB has been used to store the passphrases generated by the “PassPhrase Generator” application within the DVWS. You will launch a NoSQL attack against the PassPhrase Generator, as MongoDB is a NoSQL database.

 

  1. You should find the ID numbers of both databases and start the instances for the successful launch of DVWS. Open a terminal by clicking the terminal icon on the left menu.
    1. Type sudo docker ps -a and hit Enter.
    2. Type in the password: isecstudent

This command shows the id numbers of both containers, their status (Exited), and other information.

  1. Run the following commands to start docker containers:
    1. sudo docker start dvws-mysql_id
    2. sudo docker start mongodb_id

Don’t forget to replace “dvws-mysql_id” and  “mongodb_id”  with the real id numbers.

  1. Change directory to dvws-node folder; this folder contains the required files to launch DVWS
    1. cd dvws-node
  2. Run this command to start DVWS
    1. sudo npm run dvws

Wait for a couple of seconds until you see the message “API listening at  :80”.

  1. Open the Firefox browser by clicking the icon at the left menu.
  2. Type “localhost” to the address bar to make sure that DVWS is working.

Part 2: Leveraging NoSQL Injection Attack Using Burp Suite

  1. Before using DVWS, change the proxy setting of the Firefox browser, as shown below. All traffic between the browser (client) and DVWS (server) will pass through the Burp Suite by this proxy setting.
  2. Run Burp Suite by clicking the Activities at the top left corner and then typing Burp.
  3. Click Next on the “Temporary Project” screen.
  4. Click “Start Burp” with “Use Burp defaults” selected.
  5. Click on the Proxy tab and set the Intercept setting to off.
  6. Switch to the Firefox window. Refresh the website.
  7. Register to DVWS by choosing a username and password, then click Register.
  8. Log in to the DVWS using the credentials you determined in registration.
  9. Click Passphrase Generator application after login. It is a vulnerable application in DVWS that uses MongoDB.
  10. Type a name to the first text field such as test1
  11. Click Generate, then click Save PassPhrase (You can repeat this step a few times)
  12. Visit HTTP History to examine the HTTP requests and responses when a new passphrase saved
  13. Right-click on /api/v2/passphrase/yourname line in the URL column and Send to Repeater.
  14. Go to the Repeater tab.

 

  1. Modify the Request by inserting ‘ character at the end of the URL, as shown below. (/api/v2/passphrase/yourname) Press send button, then examine the response, which indicates an error.
  2. Modify the Request by inserting ‘ or ‘1’=’1 at the end of the URL as shown below. (/api/v2/passphrase/yourname‘ or ‘1’=’1)
  3. Click the send button. Confirm the second error message as below.
  4. In this step, before clicking the Send button a second time, select the inserted input, right-click on the selection and then encode it.

 

  1. After pressing the Send button, examine the response, which will show all saved passphrases. The output means that this web application is vulnerable.

Questions

  1. How Burp Suite made your job -as a penetration tester- easy? (10 pts)
  2. Explain what you have done in Steps 17, 18, and 19. Why did you encode the string? (15 pts)
  3. Which of the following action(s) has been done by Burp Suite? (10 pts). Briefly explain.
    1. Vulnerability scanning
    2. The exploitation of a vulnerability
    3. Proxy
    4. Traffic generation
    5. Traffic analysis
  4. Summarize what you’ve done in this lab as if you are explaining it to a non-technical person. (15 pts)