So, it’s been fun for the past 4 years here at the labs, but it’s time to close down this chapter and think about doing something else. As I type this, I’m scp’n down a copy of all the nonsense accumulated over the years. Thanks to everyone who played along with us.
First, I love Damn Vulnerable Web App (DVWA). I’ve made use of it on multiple occasions for instruction and emphasis related to common web application attack vectors. While I certainly do enjoy showing real applications getting hurt, some of the DVWA features are perfect for compressed training. Specifically the ability to click to show the specific vulnerable PHP code as well as changing security levels for progressively interesting examples.
Now I have one more reason to love it. It’s stupid easy to add your own vulns into this app!
My example in this case is the addition of DOM-based XSS bugs. My need was to illustrate this bug class for a small group of infosec professionals. I wanted to touch briefly on the current reflected v. stored examples and then move to contrasting those with DOM based examples.
If you’d like to give my changes a try download it here.
The current low security level is a basic eval() vulnerability, medium contains an innerHTML vulnerability and finally high contains the same with a bit of naive validation. This should work nicely for my situation and hopefully is consistent with the intent of the DVWA project.
I wasn’t able to find an e-mail address for the project maintainer, but on the off chance you read this post…what do you think?
Recently longtime LOL member, monstream00, has been working on some hot new Cortana scripts. I’m particularly fond of the autoDiscover.cna additions. That said, be careful where you point that thing
Check them out here: https://github.com/monstream00/cortana-scripts
More to come on this front. Stay tuned.
If you’re in the Oklahoma City area don’t forget that the area Defcon group is meeting this Friday, August 17th from 7pm to 9pm. Come out and get your hack on.
Talks lined up:
OHM Space/Beta Space
1700 W. Main St
Oklahoma City, OK 73106
Michal Zelewski’s ‘The Tangled Web’ has a brief mention of a simple phishing attack based on sending HTTP 401 responses to clients. This is useful when it is possible to embed a resource into a page (e.g. forums that allow the user to include an image), but no serious code like iframes/xss/etc.
This module takes any request and returns a HTTP 401 with the authentication realm of your choice. If basic auth is detected in the request, the credentials are spit out to the console and no response is sent.
Anyway, it’s a simple implementation. Check it out here.