Saturday, June 28, 2014

bWAPP, a buggy web application!

Web application security is today's most overlooked aspect of securing the infrastructure. These days, hackers are concentrating their efforts on our precious websites and web applications. Why? Websites and web applications are a very attractive target for cyber criminality and hacktivism because they are 24/7 available via the Internet. Mission-critical business applications, containing sensitive data, are often published on the Internet through a web interface. In addition, traditional firewalls and SSL provide no protection against web attacks, and systems engineers know little about these sophisticated application-level attacks…

It’s definitely time to improve our web security! Defense is needed… downloading and playing with bWAPP may be a first start… Wanted: superbees.

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

What makes bWAPP so unique? Well, it has over 100 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.

[The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.]

Some of the vulnerabilities included in bWAPP:
  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,...
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)
  • And much much much more…


bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux, Windows and Mac with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
Another possibility is to download the bee-box…

The bee-box is a custom Linux Ubuntu virtual machine, pre-installed with bWAPP. It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation! bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

You can download bWAPP from here. You can download bee-box from here.

Both are part of the ‘ITSEC Games’ project. The ‘ITSEC Games’ are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together! Our main objectives are to teach InfoSec courses from an educational and recreational point of view.

Take a look at our ‘What is bWAPP?’ introduction guide: it includes free training materials and exercises. There is also a free cheat sheet available, containing all the bWAPP solutions…
Follow @MME_IT on Twitter, and receive this cheat sheet, updated on a regular basis, including the latest hacks and security hardening tweaks.

We also offer a 2-day exclusive comprehensive web security course: 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location.


Have fun with this free and open source project!

Cheers, Malik Mesellem, @MME_IT

bWAPP - Metasploit Modules

Hi little bees,

In this article, I'll show you how you can find an exploit in bWAPP and port it to a Metasploit module to ease the exploitation of your loved bee-box (or any bWAPP aware box).
You probably all know the Mestasploit Framework. If you don't know it yet, you should absolutely take a look at its website and download/install it. If you're using kali linux, Metasploit is present in your beehive.

First, we need a to find a valid exploit. For now, I'll take a basic sql injection to spawn a shell/meterpreter to the box.

I'm a little lazy and basics of sql injection are out of scope, so if you don't' know how to exploit it in bWAPP you can still refer to my (killed in the beehive) bwappexploited site.

So, starting from the fact that this injection works fine well to get the current database :
' and 1=0 union all select 1,2,database(),4,5,6,7 -- -
We could abuse the SELECT INTO OUTFILE mysql statement to write a php file, our backdoor, to the webserver.
But don't forget you're injecting mysql, so mysql or a group it belongs to should have write perms on the folder where you want to write the backdoor.
An image or document folder is often a good choice as it is often used to upload images through an admin web interface.
In this case, the « images » folder is writable :) (http://yourip/bWAPP/images/)

Our payload could be something like this:

a' UNION SELECT 1, "<?php system($_GET['cmd']) ?>",1,1,1,1,1 INTO OUTFILE "/var/www/bWAPP/images/yabadooo.php" -- -

Of course, change the path if bWAPP is installed in another directory.
If our injection worked , a file named yabadooo.php containing our payload is present in the « images » folder, let's abuse it with « id » command to see which user serves our payload.

It worked ! But ... you already knew it ? ;)

To build a metasploit module, you have to answer to this question : Which steps were necessary to successfully exploit ?

In our case it's rather simple  :
1 – Login to bWAPP
2 – Post evil parameters to inject1.php

Here's the first step details:

As you can see we first connect to bWAPP to store the session cookie, then we use this cookie to login to the bWAPP.
Finally, in the second step, we call the hive function to login then we send the evil request to get our shell.
Metasploit generates the payload for us, just replace php commands in the sql injection by « payload.encoded » and let MSF do its job.

The big part of the job is done, you'll understand the meaning of it all while reading, I let you explore the final script.

You'll find the msf module here, just copy/paste it in MSF modules folder.
Kali users can drop it in /usr/share/metasploit-framework/modules/exploits/multi/http/ .
Start msfconsole and type :
> use exploit/multi/http/bwapp-sqli
> exploit -j

And magic happens :)

That's all bees,
Thanks for reading !

David Bloom
Twitter : @philophobia78