Week 10 is about testing DVWA.
My DVWA wont install as it only shows blank page
Thanks to hansvin, I can use DVWA by using his DVWA installed in his digital ocean.
So let’s start.
DVWA has 4 security levels: low, medium, high, and Impossible.
We will use Command Injection attack as example
Low difficulty is full of vulnerabilities, there is no fix attempted.
For example, ping a website along injecting a command
The result will be the syntax id will be run with the ping command by the server.
The below source states that the server will only check for input, ping the input, and execute any other command existed in the input.
Next is the medium level. The medium level will have some protection in the code, but with major vulnerabilities that can be used to bypass the protection.
As we can see code above, it blacklisted some sub string to avoid any command injection.
But we can use other types of sub string such as ‘ | ‘ (or)
So the command will run OR sub string but only id command because ping results is passed to id command and id command does not need ping results
High level security will have more protection in the code that seems to be protected, but there are small, but fatal vulnerability that can be used.
As we can see, the blacklist sub string has increased. But there is a small vulnerability here. The ‘| ‘ command includes white space inside. So if we not include the white space, the command injection will run.
Impossible level is only for comparing purposes only. It is a level where there are no vulnerabilities existed in the code.