<a href="https://colab.research.google.com/github/blacktalenthubs/Dynamic-Application-Security-Testing/blob/main/Copy_of_week1_2.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

### Week1-2:  OWASP Top 10 Web Application Security Risks with Payload Examples and Explanations

---

#### Injection

**Description**: Injection flaws, such as SQL injection, allow attackers to inject malicious code or data into an application, potentially compromising data integrity and application logic.

**Example**: SQL Injection

**Scenario**:
An application has a login form where users enter their username and password.

**Vulnerable SQL Query**:
```sql
SELECT * FROM users WHERE username = 'user' AND password = 'pass';
```

**Attacker's Payload**:
If an attacker inputs the following into the username field:
```
' OR '1'='1
```
And the following into the password field:
```
' OR '1'='1
```
The resulting SQL query becomes:
```sql
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1';
```
**Explanation**:
This query will always return true, effectively bypassing the authentication mechanism and potentially granting the attacker access to all user data.

---

#### Broken Authentication

**Description**: Flaws in authentication mechanisms, such as weak passwords, lack of multi-factor authentication, or improper session management, can lead to unauthorized access to sensitive information.

**Example**: Session Hijacking

**Scenario**:
An application generates predictable session IDs when users log in.

**Attacker's Payload**:
The attacker notices that the session ID is simply the username prefixed with "session_". For example, if a user "admin" logs in, their session ID is:
```
session_admin
```
**Explanation**:
The attacker can hijack the session by guessing or knowing the username and crafting the session ID as "session_admin". By using this session ID, the attacker can impersonate the "admin" user and gain unauthorized access.

---

#### Sensitive Data Exposure

**Description**: Inadequate protection of sensitive data, such as passwords, credit card information, or personal data, can result in data breaches and compliance violations.

**Example**: Storing Sensitive Data in Plain Text

**Scenario**:
An application stores user passwords and credit card information in plain text in its database.

**Vulnerable Data**:
```
Username: admin
Password: password123
Credit Card: 1234-5678-9012-3456
```
**Explanation**:
If the database is compromised, attackers can directly access and misuse this sensitive information. Plain text storage of passwords and credit card information makes it easy for attackers to exploit the data.

---

#### XML External Entities (XXE)

**Description**: Improperly configured XML processors can be vulnerable to XXE attacks, allowing attackers to access or manipulate sensitive data or execute remote code.

**Example**: XXE Payload

**Scenario**:
An application processes XML input from users.

**Vulnerable XML Input**:
```xml
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>&xxe;</root>
```
**Explanation**:
This payload instructs the XML parser to include the contents of the /etc/passwd file (a sensitive system file on Unix-like systems) in the XML document. If the application processes this XML without proper configuration, the attacker can access the contents of the /etc/passwd file, leading to information disclosure.

---

### Teaching Outline

---

#### Injection

1. **Overview**:
   - Injection flaws allow attackers to inject malicious code or data into an application.
   - Common types include SQL injection, NoSQL injection, and command injection.

2. **Example: SQL Injection**:
   - Scenario: User login form with username and password fields.
   - Vulnerable SQL Query:
     ```sql
     SELECT * FROM users WHERE username = 'user' AND password = 'pass';
     ```
   - Attacker's Payload:
     - Username: `' OR '1'='1`
     - Password: `' OR '1'='1`
   - Resulting SQL Query:
     ```sql
     SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '' OR '1'='1';
     ```
   - **Explanation**: This query always returns true, bypassing authentication and potentially exposing all user data.

---

#### Broken Authentication

1. **Overview**:
   - Broken authentication refers to flaws in the authentication mechanism, leading to unauthorized access.
   - Common issues include weak passwords, lack of multi-factor authentication, and improper session management.

2. **Example: Session Hijacking**:
   - Scenario: Application generates predictable session IDs.
   - Attacker's Observation: Session ID for user "admin" is "session_admin".
   - Attacker's Payload:
     - Session ID: `session_admin`
   - **Explanation**: By guessing the session ID, the attacker can hijack the session and gain unauthorized access as the "admin" user.

---

#### Sensitive Data Exposure

1. **Overview**:
   - Sensitive data exposure occurs when applications do not adequately protect sensitive information, such as passwords and credit card details.
   - Inadequate protection can lead to data breaches and compliance violations.

2. **Example: Storing Sensitive Data in Plain Text**:
   - Scenario: Application stores user data in plain text.
   - Vulnerable Data:
     ```
     Username: admin
     Password: password123
     Credit Card: 1234-5678-9012-3456
     ```
   - **Explanation**: If the database is compromised, attackers can easily access and misuse the sensitive information stored in plain text.

---

#### XML External Entities (XXE)

1. **Overview**:
   - XXE attacks exploit vulnerabilities in XML processors to access or manipulate sensitive data.
   - Commonly used in applications that process XML input without proper configuration.

2. **Example: XXE Payload**:
   - Scenario: Application processes XML input.
   - Vulnerable XML Input:
     ```xml
     <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
     <root>&xxe;</root>
     ```
   - **Explanation**: This payload includes the contents of the /etc/passwd file in the XML document. If processed without proper configuration, the attacker can access sensitive system files.

---

---

#### Cross-Site Scripting (XSS)

**Description**: XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, defacement, or redirection to malicious sites.

**Example**: Stored XSS

**Scenario**:
An application allows users to post comments on articles. These comments are stored and displayed without proper sanitization.

**Attacker's Payload**:
If an attacker posts the following comment:
```html
<script>alert('XSS');</script>
```
**Explanation**:
When another user views the comment, the browser executes the script, displaying an alert box. This demonstrates how the attacker can inject and execute arbitrary scripts.

---

#### Security Misconfiguration

**Description**: Security misconfigurations occur when security settings are not defined, implemented, or maintained properly. This can lead to unauthorized access to default accounts, unpatched flaws, or unnecessary services enabled.

**Example**: Exposed Admin Interface

**Scenario**:
An application has an admin interface that is not properly secured and is accessible to anyone who knows the URL.

**Attacker's Payload**:
If an attacker discovers the admin URL:
```
http://example.com/admin
```
And the default admin credentials:
```
Username: admin
Password: admin123
```
**Explanation**:
The attacker can log in with default credentials and gain full control over the application. This can be prevented by changing default credentials, limiting access to the admin interface, and regularly updating security settings.

---

### Teaching Outline

---

#### Cross-Site Scripting (XSS)

1. **Overview**:
   - XSS vulnerabilities allow attackers to inject malicious scripts into web pages.
   - There are three main types of XSS: stored, reflected, and DOM-based.

2. **Example: Stored XSS**:
   - Scenario: User comment section on an article page.
   - Attacker's Payload:
     ```html
     <script>alert('XSS');</script>
     ```
   - **Explanation**: The malicious script is stored on the server and executed whenever a user views the comment, leading to potential session hijacking or data theft.

---

#### Security Misconfiguration

1. **Overview**:
   - Security misconfigurations occur when security settings are not defined, implemented, or maintained properly.
   - This can include using default credentials, exposing unnecessary services, or failing to apply security patches.

2. **Example: Exposed Admin Interface**:
   - Scenario: Application with an accessible admin interface.
   - Attacker's Payload:
     - Admin URL: `http://example.com/admin`
     - Default Credentials:
       ```
       Username: admin
       Password: admin123
       ```
   - **Explanation**: By discovering the admin URL and using default credentials, the attacker gains unauthorized access, highlighting the importance of securing admin interfaces and changing default settings.

---


### Performing OWASP Top 10 Web Application Security Attacks using MultiLLIDAE

**Note**: Ensure you have the necessary permissions and a safe environment to perform these security tests. Only use these techniques on applications you own or have explicit permission to test.

---

#### Injection (SQL Injection)

1. **Setup**: Ensure MultiLLIDAE is running and accessible.
2. **Scenario**: The application has a login form with username and password fields.

**Steps**:
- Go to the login page of MultiLLIDAE.
- In the username field, enter:
  ```
  ' OR '1'='1
  ```
- In the password field, enter:
  ```
  ' OR '1'='1
  ```
- Submit the form.

**Expected Result**:
- You should be able to bypass the login and gain unauthorized access.

**Explanation**:
- The SQL query is manipulated to always return true, bypassing authentication.

---

#### Broken Authentication (Session Hijacking)

1. **Setup**: Ensure MultiLLIDAE is running and you can access different user accounts.
2. **Scenario**: The application generates predictable session IDs.

**Steps**:
- Log in as a normal user and capture the session ID from the browser cookies (e.g., `session_user`).
- Log out and construct a new session ID for an admin user (e.g., `session_admin`).
- Manually set the cookie in your browser to `session_admin`.

**Expected Result**:
- You should gain access to the admin interface.

**Explanation**:
- Predictable session IDs allow attackers to hijack sessions and gain unauthorized access.

---

#### Sensitive Data Exposure

1. **Setup**: Ensure MultiLLIDAE is running and the database is accessible.
2. **Scenario**: The application stores sensitive data in plain text.

**Steps**:
- Access the database directly or through a compromised account.
- Query the users table:
  ```sql
  SELECT username, password, credit_card FROM users;
  ```

**Expected Result**:
- Plain text passwords and credit card information should be visible.

**Explanation**:
- Storing sensitive data in plain text exposes it to potential misuse if the database is compromised.

---

#### XML External Entities (XXE)

1. **Setup**: Ensure MultiLLIDAE is running and accepts XML input.
2. **Scenario**: The application processes XML input from users.

**Steps**:
- Find an endpoint that processes XML (e.g., file upload or data import).
- Submit the following malicious XML payload:
  ```xml
  <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
  <root>&xxe;</root>
  ```

**Expected Result**:
- The contents of the `/etc/passwd` file should be returned in the response.

**Explanation**:
- The XML parser includes external entities, exposing sensitive system files.

---

#### Cross-Site Scripting (XSS)

1. **Setup**: Ensure MultiLLIDAE is running and has a comment section or similar input fields.
2. **Scenario**: The application allows users to post comments without sanitizing input.

**Steps**:
- Go to the comment section of an article or similar page.
- Submit a comment containing:
  ```html
  <script>alert('XSS');</script>
  ```

**Expected Result**:
- An alert box should appear when the page is reloaded, demonstrating the script execution.

**Explanation**:
- The application fails to sanitize user input, allowing the injection and execution of malicious scripts.

---

#### Security Misconfiguration

1. **Setup**: Ensure MultiLLIDAE is running and you have admin access.
2. **Scenario**: The application has an exposed admin interface with default credentials.

**Steps**:
- Go to the admin interface (e.g., `http://localhost:8080/admin`).
- Log in using default credentials:
  ```
  Username: admin
  Password: admin123
  ```

**Expected Result**:
- You should gain access to the admin panel.

**Explanation**:
- Default credentials and exposed admin interfaces allow unauthorized access.


### Performing OWASP Top 10 Web Application Security Attacks using DVWA

**Note**: Ensure you have the necessary permissions and a safe environment to perform these security tests. Only use these techniques on applications you own or have explicit permission to test.

---

#### Setting Up DVWA

1. **Download and Install DVWA**:
   - Clone the DVWA repository:
     ```bash
     git clone https://github.com/digininja/DVWA.git
     cd DVWA
     ```
   - Set up the database:
     ```bash
     cp config/config.inc.php.dist config/config.inc.php
     ```
   - Edit `config/config.inc.php` with your database details:
     ```php
     $_DVWA[ 'db_user' ] = 'root';
     $_DVWA[ 'db_password' ] = 'password';
     ```
   - Start the DVWA application:
     ```bash
     docker-compose up -d
     ```

2. **Access DVWA**:
   - Open your browser and go to `http://localhost:8080`.
   - Log in with the default credentials:
     ```
     Username: admin
     Password: password
     ```

3. **Set DVWA Security Level**:
   - Go to the "DVWA Security" page and set the security level to low for demonstration purposes.

---

#### Injection (SQL Injection)

1. **Scenario**: The application has a user login form with username and password fields.

**Steps**:
- Go to the "SQL Injection" section of DVWA.
- In the input field, enter:
  ```
  ' OR '1'='1
  ```
- Click "Submit".

**Expected Result**:
- You should see a list of all users in the database.

**Explanation**:
- The SQL query is manipulated to always return true, bypassing authentication.

**Database Access**:
- Connect to the MySQL database running in the Docker container:
  ```bash
  docker exec -it dvwa_db_1 mysql -u root -ppassword dvwa
  ```
- Query the users table:
  ```sql
  SELECT * FROM users;
  ```

---

#### Broken Authentication (Session Hijacking)

1. **Scenario**: The application generates predictable session IDs.

**Steps**:
- Log in to DVWA as a regular user and capture the session ID from the browser cookies.
- Log out and construct a new session ID for an admin user (e.g., `session_admin`).
- Manually set the cookie in your browser to `session_admin`.

**Expected Result**:
- You should gain access to the admin interface.

**Explanation**:
- Predictable session IDs allow attackers to hijack sessions and gain unauthorized access.

---

#### Sensitive Data Exposure

1. **Scenario**: The application stores sensitive data in plain text.

**Database Access**:
- Connect to the MySQL database running in the Docker container:
  ```bash
  docker exec -it dvwa_db_1 mysql -u root -ppassword dvwa
  ```
- Query the users table:
  ```sql
  SELECT user, password, avatar FROM users;
  ```

**Expected Result**:
- Plain text passwords and other sensitive information should be visible.

**Explanation**:
- Storing sensitive data in plain text exposes it to potential misuse if the database is compromised.

---

#### XML External Entities (XXE)

1. **Scenario**: The application processes XML input from users.

**Steps**:
- Go to the "XML External Entity (XXE)" section of DVWA.
- Submit the following malicious XML payload:
  ```xml
  <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
  <root>&xxe;</root>
  ```

**Expected Result**:
- The contents of the `/etc/passwd` file should be returned in the response.

**Explanation**:
- The XML parser includes external entities, exposing sensitive system files.

---

#### Cross-Site Scripting (XSS)

1. **Scenario**: The application allows users to post comments without sanitizing input.

**Steps**:
- Go to the "XSS (Stored)" section of DVWA.
- Submit a comment containing:
  ```html
  <script>alert('XSS');</script>
  ```

**Expected Result**:
- An alert box should appear when the page is reloaded, demonstrating the script execution.

**Explanation**:
- The application fails to sanitize user input, allowing the injection and execution of malicious scripts.

---

#### Cross-Site Request Forgery (CSRF)

1. **Scenario**: The application allows users to change their email address without verifying the origin of the request.

**Steps**:
- Log in to DVWA as a regular user.
- In a different browser or session, create an HTML page with the following content:
  ```html
  <html>
  <body>
    <form action="http://localhost:8080/vulnerabilities/csrf/" method="POST">
      <input type="hidden" name="password_new" value="newpassword">
      <input type="hidden" name="password_conf" value="newpassword">
      <input type="submit" value="Submit request">
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
  </html>
  ```
- Open this HTML file in your browser while logged in to DVWA.

**Expected Result**:
- The password of the logged-in user should be changed to `newpassword`.

**Explanation**:
- The attacker tricks the user into submitting a request without their knowledge, thereby performing an action on the user's behalf.

---

#### Security Misconfiguration

1. **Scenario**: The application has an exposed admin interface with default credentials.

**Steps**:
- Go to the admin interface of DVWA.
- Log in using default credentials:
  ```
  Username: admin
  Password: password
  ```

**Expected Result**:
- You should gain access to the admin panel.

**Explanation**:
- Default credentials and exposed admin interfaces allow unauthorized access.

---

### Conclusion

These practical examples demonstrate how to perform common web application security attacks on DVWA. By understanding and executing these attacks, students can learn how to identify vulnerabilities and implement mitigation strategies effectively. Remember to perform these tests in a controlled environment and with proper authorization.

---