QSES - Laboratory Exercises 3

Author: Eduardo R. B. Marques, DCC/FCUP

QSES homepage

Exercises marked with (C) will be covered in class, and exercises marked with (H) are left as homework.

1. DVWA XSS (C)

Access the DVWA server (e.g. running on the GCP VM instance we created last class) and consider the XSS (Reflected) and XSS (Stored) sections.

For each section and security level examine:

1. What are the input validation mechanisms and other protections involved? Try to circumvent them by conducting an attack manually.

2. Check if the SonarCloud analysis provides some clues to the security vulnerabilities.

   • Surprisingly it does not in some cases, e.g. particularly for XSS (Reflected), in spite of this XSS analysis rule.
   • As we have seen in other examples, the user input is not seen as "flowing" directly/unconditionally to HTML generation section.

3. Install the ZAP proxy if you have not do so previously. Then use ZAP to:

   • Inspect if there any XSS-related vulnerabilities just by monitoring traffic ?
   • Use the attack mode to try detect the XSS vulnerabilities automatically.

2. DVWA CSRF (C)

Proceed as in exercise 1 but for the CSRF functionality, but excluding ZAP attacks.

To exploit the vulnerabilities in some DVWA security levels you may need to craft a malicious HTML page.

3. DOM-based XSS (H)

Proceed as in exercise 1 but for the XSS (DOM) functionality.

4. Explore WebGoat (H)

Try out WebGoat, a vulnerable web application written in Java.

Explore some WebGoat "lessons" referring to vulnerabilities we have discussed in the last few classes.

Links:

• Code repository (QSES fork).

• Docker image

• SonarCloud.io analysis