Sunday, December 22, 2013

bWAPP - Xmas Hacking Challenge

Hi little bees, do you get bored in the Christmas Holidays? No panic, stay tuned with us... this time we are organizing a free bWAPP Xmas Hacking Challenge. Nothing to win, just for fun (and for educational purposes of course).

bWAPP, or a buggy web application, is a deliberately insecure web application.
It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 60 web bugs! bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!

Are you ready to get started with our Xmas Hacking Challenge? First of all, we need YOUR public IP address. E-mail us your public IP address at bWAPP [at] Once we receive your IP, we add you on our white-list and we e-mail you back all the details. Now you are ready to roll!

Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP

The first five tweeters who successfully accomplished a challenge are listed on our bWAPP Hack Hall of Fame.


Bug to exploit: SQL Injection - Extracting Data

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands (sources: OWASP).

Your first mission is to grab and crack Santa's password using SQL injection.
A user 'Santa Claus' was added in the bWAPP database. We need the clear text password of that user...
Tweet your solutions, findings, and screenshots to @MME_IT #bWAPP.

HINT: title='+or+1+union+select+1,2,3,4,5,6,7+--+

Hack Hall of Fame:

  1. Pen Duick, @_SaxX_
  2. Twan, @TwanSec
  3. Yaser Faraj, @yaserfaraj
  4. philophobia, @philophobia78
  5. Andy Decramer, @AndyDecramer


Bug to exploit: SQL Injection - Website Defacement

Your second mission is to upload a file using SQL injection. Name the file [your_name]-sqli.htm and tweet a screenshot as proof to @MME_IT #bWAPP.

Good luck... this will probably be your first (legal) website defacement!

HINT: use an automated SQL injection tool like sqlmap. sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Hack Hall of Fame:

  1. Twan, @TwanSec
  2. Pen Duick, @_SaxX_
  3. Yaser Faraj, @yaserfaraj
  4. philophobia, @philophobia78
  5. Andy Decramer, @AndyDecramer


Bug to exploit: Server-Side Includes (SSI) Injection - Website Defacement

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user.

The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields.

It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like: < ! # = / . " - > and [a-zA-Z0-9]

Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the application is protected against SSI attacks.

In any case, the attack will be successful only if the web server permits SSI execution without proper validation. This can lead to access and manipulation of file system and process under the permission of the web server process owner.

The attacker can access sensitive information, such as password files, and execute shell commands. The SSI directives are injected in input fields and they are sent to the web server. The web server parses and executes the directives before supplying the page. Then, the attack result will be viewable the next time that the page is loaded for the user's browser (sources: OWASP).

Your third mission is to create a file using SSI injection. Name the file [your_name]-ssii.htm and tweet a screenshot as proof to @MME_IT #bWAPP. Another website defacement...

Hack Hall of Fame:

  1. Twan, @TwanSec
  2. Pen Duick, @_SaxX
  3. philophobia, @philophobia78
  4. Yaser Faraj, @yaserfaraj
  5. Andy Decramer, @AndyDecramer


Bug to exploit: Server-Side Includes (SSI) Injection - Spawning a Shell

Your next mission is to spawn a command shell using SSI injection. Access the /etc/passwd file from the shell, and tweet a screenshot as proof to @MME_IT #bWAPP.

HINT: our firewall is blocking only incoming traffic...

Hack Hall of Fame:

  1. Twan, @TwanSec
  2. philophobia, @philophobia78
  3. Yaser Faraj, @yaserfaraj
  4. ...
  5. ...