Security Level in DVWA not really changing #108

Open
rexxturbo opened this Issue Oct 18, 2016 · 1 comment

Projects

None yet

2 participants

@rexxturbo

Hi,

I have DVWA set up on a target computer. I changed the Security level to "low", when I refresh the page, the security level remains low.

Here is the problem.

When I connect to the target PC from my attack box and intercept traffic with Burp, DVWA shows that security is set to "impossible". I have tried resetting the security multiple times, but no luck.

Any ideas?

Thanks

GET /login.php HTTP/1.1
Host: 172.16.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.1.130/login.php
Cookie: PHPSESSID=cv9f2p4mfd33hvkknbigio4ao2; security=impossible
Connection: close
Cache-Control: max-age=0

@digininja
Contributor

The level is per session so if you are logging in from a new session then
the level will go back to impossible. Use a Burp search and replace to
downgrade it.

On Tue, 18 Oct 2016 at 16:41 rexxturbo notifications@github.com wrote:

Hi,

I have DVWA set up on a target computer. I changed the Security level to
"low", when I refresh the page, the security level remains low.

Here is the problem.

When I connect to the target PC from my attack box and intercept traffic
with Burp, DVWA shows that security is set to "impossible". I have tried
resetting the security multiple times, but no luck.

Any ideas?

Thanks

GET /login.php HTTP/1.1
Host: 172.16.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.1.130/login.php
Cookie: PHPSESSID=cv9f2p4mfd33hvkknbigio4ao2; security=impossible
Connection: close
Cache-Control: max-age=0


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#108, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHJWYmvu8edm8mTmO73qPob4wNC6Ao3ks5q1OipgaJpZM4KZ9Fa
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment