Damn Vulnerable Web Service

General info, Get it and deploy it

• Official repo dvws

Infos

List of Vulnerabilities

This is the list from the documentation To keep track, I will check everytime I find one

• Insecure Direct Object Reference

• Horizontal Access Control Issues

• Vertical Access Control Issues

• Mass Assignment

• Cross-Site Scripting

• NoSQL Injection

• Server Side Request Forgery

• JSON Web Token (JWT) Secret Key Brute Force

• Information Disclosure

• Hidden API Functionality Exposure

• Cross-Origin Resource Sharing Misonfiguration

• JSON Hijacking

• SQL Injection

• XML External Entity Injection (XXE)

• Command Injection

• XPATH Injection

• XML-RPC User Enumeration

• Open Redirect

• Path Traversal

• Unsafe Deserialization

• Sensitive Data Exposure

• GraphQL Access Control Issues

• GraphQL Introspection Enabled

• GraphQL Arbitrary File Write

• GraphQL Batching Brute Force

• Client Side Template Injection

Deploy it

• git clone https://github.com/snoopysecurity/dvws-node.git

• cd dvws-node

• docker compose up

• It should start building

docker compose up

• Once done edit your /etc/hosts file and add this line 127.0.0.1 dvws.local

• All the other infos we need are here

web-1         | 🚀 XML-RPC server listening on port 9090
web-1         | 🚀 API listening at http://dvws.local (127.0.0.1)
web-1         | 🚀 GraphQL Server ready at http://localhost:4000/

Hack it

• Launch burp or zap and setup your scope settings

Exploration

Register

Now we can visit http://dvws.local/ we get this page

Login page

Let's create an account

Register

Once logged in we get this home page:

Home page

Home page without being logged in

However we do not need to be logged in to access the home page. We can access it right away if we go here http://dvws.local/home.html

Home page without login

File upload functionality

Here http://dvws.local/upload.html we have the possibility to upload files. So this is definitely something to keep aside for later.

File Storage

PassPhrase Generator

Another page to keep for later explorations http://dvws.local/passphrasegen.html

PassPhrase generator

Public Notes

Another one http://dvws.local/search.html

Public Notes

Admin Area

We can access the admin area as well without any cookie http://dvws.local/admin.html

No cookie

Admin Area

Save Secret Note

This looks fun too http://dvws.local/notes.html

Save Secret Note

If we try to create a note without a token it won't work. So we can access the page but we can not write notes.

500 error

Directory and endpoint enumeration

• Directory enum small list

┌─[✗]─[gabrielle@parrot]─[~/vulnerable-apis/dvws-node/dvws-node]
└──╼ $wfuzz -c --hc 404 --hw 225 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt http://dvws.local/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://dvws.local/FUZZ
Total requests: 87664

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                              
=====================================================================

000000164:   301        10 L     16 W       181 Ch      "uploads"                                                                                            
000000269:   301        10 L     16 W       179 Ch      "static"                                                                                             
000000549:   301        10 L     16 W       173 Ch      "css"                                                                                                
000000954:   301        10 L     16 W       171 Ch      "js"                                                                                                 
000008156:   301        10 L     16 W       173 Ch      "CSS"                                                                                                
000009299:   301        10 L     16 W       171 Ch      "JS"                                                                                                 

Total time: 63.89374
Processed Requests: 87664
Filtered Requests: 87658
Requests/sec.: 1372.027

• Directory enum big list

=> Nothing more than in the small one.

When I explored I saw that the schema for the api was /api/v2. This is good to know (I found it in my burp history). This way we have the api endpoints schema.

• Let's try another wordlist, I really want to find the documentation. This time I will use the intruder and the wordlist swagger.txt

• Here is my position tab in the intruder

Positions

Notice that I did not put a / after the GET http verb

• My payloads tab look like this

Payloads

Make sure to unchek the URL-encode these characters at the bottom

Then we can launch the attack. We order the results by Status we get to endpoints worth checking

Results

Both these endpoints have the documenation

• http://dvws.local/api-docs/

• http://dvws.local/api-docs/swagger.json

Mass assignment

• Create an admin user we add the parameter admin and set it to true admin=true

mass assignment

• It works. Our new user is admin

admin

Information disclosure

So in our burp history we have a users endpoint which gives a list of users and their password hashes.

users

With this information we can for example attempt to crack the admin hash. First let's find out which hash this is. We go to hascat examples hashes page here and we search $2b$10 on the page. This way we see it is bcrypt. Now we can crack the hash with john (or hashcat) and we get the password of the admin user letmein.

crack hash

So now we can log in as admin

admin

Horizontal Access Control

When we access our passphrases, it calls the following endpoint /api/v2/passphrase/csbygb so it takes the username as id. So we could try to access the admin one /api/v2/passphrase/admin It works! Funny thing here is we do not even need a cookie to access it.

Admin passphrase

Note: I added a passphrase myself for the sake of the demo here.

Vertical Access Control Issues

When we try to access the admin area with a normal user through the browser we get redirected. However when we use an admin user we access the endpoint /api/v2/sysinfo/uname And the web browser shows this page.

Admin area

So we can try to access the same endpoint but with a user Token.

• Access with admin Token

Admin token

So this is the legitimate request. We get info aobut the server.

• Access with user Token

User token

So this should not be possible, we access admin info with a user token.

If we try the functionality to search for a user we see this in the browser.

User search as admin

So it calls this endpoint and the request and response look like this in burp

User search

So we can send the request to the repeater and change the token for a user one to see if we could access to the "admin" user info for example. And it works!

Admin user with simple user token

Cross Site Scripting

If we enter a user name with an xss payload in the user field the input is not sanitized and our paylaod is interpreted.

Payload xss

Now if we click on login we get our pop up

XSS vulnerable

JSON Web Token (JWT) Secret Key Brute Force

Let's play a little with the jwt token. For this we can use jwt_tool. See here for how to install it.

We can do it with this command python3 jwt_tool.py <JWT-TOKEN-HERE> -o -C -d /usr/share/wordlists/rockyou.txt It works and we get the password access

key cracked

Once we get a key we can use it to update our rights and become admin by adding a permission. Here we can add the permission "user:admin" Here is how we could this with jwt.io

Become admin with jwt

Then we would just have to use this new generated token to access admin resources.

XML External Entity Injection (XXE)

When playing with the user search we had an XML Content. So this is definitely the place to check for XXE. Let's try to insert these lines at the top

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Then we can use this &xxe; in the usernames tags to print the file we need (here the passwd).

And it works we get the passwd file of the server.

XXE

Insecure Direct Object Reference

When playing with the notes we have a number attributed to the secret notes we create like this:

Notes other user

Here we have a note no 4 and no 9

We could try to check if the endpoint can also request only one specific note, using this number as an id. This endpoint /api/v2/notes will return all the notes let's try something like /api/v2/notes/note-number And it works we can access any note from any user. For example here is a note from csbygb with the token of csbygb-otheruser

csbygb note

After this we could enumerate all the notes with an automatic tool like burp intruder for example and by incrementing the note no.

NoSQL Injection

So if we play with the quotes and try some NoSQL payload (you can find some here), we can trigger a NoSQL injection on the endpoint /api/v2/notesearch. It works and we get all the notes, including the secret ones

NoSQL Injection

Hidden API Functionnality Exposure

So if we analyze the swagger we found during the enumeration phase. We have an endpoint that is different than the others /api/v1/info so this is an old functionnality. Well, let's try it. This discloses a lot of information on the server.

Hidden API Functionnality Exposure

Server Side Request Forgery

The error page has un interesting response.

We can see also in the user agent the use of xmlrpc. So we could try to interact with it because it is known to have a few vulnerabilities that affected a lot of wordpress websites. This article here mentions it.

If we try the request from the article we get a less verbose response but it is still really interesting.

list methods

We can see the dvws.checkuptime from the error and it does also have pingback. So let's try the service mentionned in the error.

uptime

So this way we can access application that runs in the internal network fo the server. We could also scan the ports.

CORS

When we explored the application we found a few request that did not need any token or credentials.

For example /api/v2/passphrase/admin to request the passphrase that is called admin.

Admin passphrase

See here, we do not need any credentials and we have Access-Control-Allow-Credentials: true in the response header.

So let's try a cors PoC to see if it is vulnerable we can find plenty of poc online (I found mind here ). If you are not familiar with cors, this page on portswigger is very helpful to learn more about this.

<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<h3>Get passphrase</h3>
 
<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
 
<script>
function cors() {
  var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      document.getElementById("demo").innerHTML = alert(this.responseText);
    }
  };
  xhttp.open("GET", "http://dvws.local/api/v2/passphrase/admin", true);
  xhttp.withCredentials = true;
  xhttp.send();
}
</script>
 
</body>
</html>

And here we get the passphrase

JSON Hijacking

You can check the explainations about this vulnerability in the official writeup here

SQL Injection

You can find the official writeup for the SQL Injection here

Command Injection

When we explored we found an endpoint (/api/v2/sysinfo/uname) that was doing a uname in a server. This screams for command injection. If we append send this instead we can indeed execute another command /api/v2/sysinfo/uname;id

id

We can see that our user is root From this the next step would be to try to get a reverse shell.

XPATH Injection

To give the version on the home page it uses this endpoint /api/v2/release/0.0.1 If we inject a quote in the end we get an xpath error

We can try a few payloads from hacktricks

And it works we get the full config file. It seems that it was taking the version from a config file (which also contains passwords).

config file

XML rps user enumeration

There is an endpoint that allows to check if a user exists and it uses XMK rpc dvwsuserservice.

user exists

Open redirect

When we log out a user it sends a get request to this endpoint /api/v2/users/logout/dvws.local This basically makes a redirection as we can see here.

redirection

What if we change dvws.local with another url? Well it redirects us to this url

You can find a good definition of this vulnerability here

Path traversal

When we download a file it makes a post request to this endpoint /api/download

Download forms can be vulnerable to path traversal. Let's try to tamper with this request

first try

We even get an error to check where we directory tree.

Let's try a few more dots and slashes

We are getting there.

home

And it works!

path traversal

Unsafe Deserialization

This article shows an example of insecure deserialization in nodejs. The request to /api/v2/export sends a serialize object to the server, this is how it fetches the requested document What is we could try to request for something else that we should be able to access.

Resources

• OWASP API Security Top 10
• OWASP Security Testing v3