DVWA

Web Application Penetration Testing

Report

Confidential

Date:19 May 2021

Version: 1.0
Project: test Company
CONFIDENTIALITY & PROPRIETARY

This document contains information that is confidential and

proprietary, which shall not be disclosed outside Client A,
transmitted, or duplicated, used in whole or in part for any purpose
other than its intended purpose. Any use or disclosure in whole or
in part of this information without explicit written permission of
Client A is prohibited. Cybereaon makes no warranty that the
information contained in this document is complete or error free.

This report is solely for the information of Client A and Client A

management and should not be used, circulated, quoted or otherwise
referred to for any other purpose, nor included or referred to in whole
or in part in any document without our prior written consent

The specific IP addresses / Domain were identified by Client A. Our

subsequent test work, study of issues in detail and developing action
plans are directed towards the issues identified. Consequently, this
report may not necessarily comment on all the weaknesses perceived
as important by the Client A and / or Client A management.
 REPORT ANALYSIS

The issues identified and proposed action plans in this report are
based on our testing. We made specific efforts to verify the
accuracy and authenticity of the information gathered only in
those cases where it was felt necessary.

The identification of the issues in the report is mainly based on

the tests carried out during the limited time for conducting such
an exercise. As the basis of selecting the most appropriate
weaknesses / vulnerabilities is purely judgmental in view of the
time available, the outcome of the analysis may not be
exhaustive and representing all possibilities, though we have
taken reasonable care to cover the major eventualities.

The vulnerabilities reported in this reported are valid as of Jan 1,

2021. Any vulnerability, which may have been discovered after
this or any exploit been made available after May 9, 2020, does
not come under the purview of this report.

Any configuration changes or software/hardware updates made on

hosts/machines on the application covered in this test after the
date mentioned herein may impact the security posture either
positively or negatively and hence invalidates the claims &
observations in this report. Whenever there is an update on the
application, we recommend that you conduct penetration test to
ensure that your security posture is compliant with your security
policies.
TABLE OF CONTENT
EXECUTIVE SUMMARY |1
Background
Application Health
Observations
Recommendations

SCAN DETAILS | 2

THREAT DISTRIBUTION |2

THREAT ANALYSIS – BY INSTANCE COUNT AND CVSS |

2THREAT ANALYSIS – BY SEVERITY LEVEL |

2VULNERABILITIES & RECOMMENDATIONS |3

1. SQL Injection | 3
2. Reflected Cross Site Scripting |9
3. Lack of password brute force prevention | 13
4. Information leakage through HTTP response headers | 14
EXECUTIVE
SUMMARY

BACKGROUND
On Dec 1 2020, Client A engaged Cybereaon to perform a security assessment of
their Damn Vulnerable Web Application (DVWA) in an effort to ensure the
security of their customer's personal information, which is processed and stored
by the DVWA application.

APPLICATION HEALTH

HIGH

Vulnerabilities in DVWA Web Application

OBSERVATIONS
During the course of this engagement we observed several areas of concern
that we believe could pose a significant risk to the security of the application
and should be addressed in a timely manner. Exploiting these vulnerabilities an
attacker can retrieve any data from the database which includes sensitive
customer data or take over other user's account.

IMMEDIATE ACTIONABLE RECOMMENDATIONS

Validate all user inputs based on a whitelisting approach.

Perform output encoding of all user supplied inputs which are

reflected back in HTML response.

Add CAPTCHA to the login page after three failed login attempts.

01
SCAN DETAILS
Start Date 5th May, 2020
Finish Date 9th May, 2020
Scan Time 5 Days
Server Technology PHP
URL [Link]
Credentials User: admin Role: Administrator
Scope Black-Box

THREAT DISTRIBUTION
SEVERITY LEVEL COLOR INDICATOR CVSS CATEGORY

HIGH RED 7.00-10.00

MEDIUM ORANGE 4.00-6.69

LOW GREEN 0.01-3.99

THREAT ANALYSIS
BY INSTANCE COUNT AND CVSS
INSTANCE COUNT
1 1 1 1

8.6 6.9 4.9 1.0

SQL Injection Lack of password Reflected Cross Information leakage

brute force prevention Site Scripting through HTTP response
headers

THREAT ANALYSIS
BY SEVERITY LEVEL

HIGH MEDIUM LOW

Lack of password brute Fingerprint Web
SQL Injection
force prevention Server
Reflected Cross
Site Scripting

02
1 SQL INJECTION

Relative Risk High

Vulnerability Class

CVSS 8.6 (AV:N/AC:L/Au:S/C:P/I:P/A:C/E:H/RL:W/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M)

[Link]
URL

id
Parameter

OBSERVATION
DVWA web application does not validate a user input which is then consumed inside
SQL queries. This allows an attacker to provide an input containing SQL statements
to modify the output in a way to retrieve desired data from the database. This
vulnerability in the application is termed as SQL injection. With this vulnerability, an
attacker can dump entire data from the database which the current database user
has privileges to access to.

EXHIBITS

Login to the web application with admin user account.

03
Navigate to [Link] sqli/[Link]
and search for user id 1' as shown in the below screenshot.

You will notice following SQL error message,

You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '\'' at line
1

This error indicates that the user input is consumed to form dynamic SQL strings.
With this knowledge, Cybereaon analysts were able to retrieve arbitrary data from
the database

04
Following payload will extract database version and the database name

1 and 1=1 union all select @@version,database() from information_schema.tables# ,

Following sample data is retrieved from the database using the

above mentioned approach
DATABASE INFORMATIONS:

Database Name

Current user

05
USER INFORMATION

Username Password

Note: Password hashes are partially masked for the security reason.

IMPACT
An attacker can dump entire data from the database that is available to the privilege of current
database user. User credentials dumped can further be misused to gain unauthorized access to
other user's account. A user only privilege account can be used to conduct this attack in order
to gain admin privilege access.

RECOMMENDATION

06
2 REFLECTED CROSS SITE SCRIPTING

Relative Risk Medium

Vulnerability Class

CVSS 6.9 (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:H/RL:W/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M)

[Link] /vulnerabilities/xss_r
URL

name
Parameter

OBSERVATION
The DVWA web application for mobile does not perform output encoding of
special characters to prevent Cross Site Scripting vulnerabilities. In one instance
user supplied input containing special characters such as <, >, ', /, etc. is echoed
back in HTML response without any output encoding performed. This allows an
attacker to input malicious JavaScript which can steal victim's cookie, redirect
them to other malicious website, etc.

EXHIBITS
Step 1
Navigate to [Link] vulnerabilities/xss_r.

07
Navigate to[Link]

You will notice following SQL error message,

<iframe onload="alert([Link])">

08
A dialog box with current URL value will be shown as a result of our payload

09
IMPACT
Reflected Cross Site Scripting is relatively complex to exploit as the malicious payload has to be
send as a part of URL and user should be tricked to visit that URL. However, it has the same impact
as that of a persistent XSS. In DVWA application, XSS can be used to hijack victim's session and
thereby gaining complete access to his/her user account. Additionally, it can be used to redirect
victim to a malicious website which may contain browser exploits or a phishing page.

RECOMMENDATION

10
3 LACK OF PASSWORD BRUTE FORCE PREVENTION

Relative Risk Medium

Vulnerability Class

CVSS 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:W/RC:C/CDP:LM/TD:M/CR:M/IR:M/AR:M)

[Link]
URL

password
Parameter

OBSERVATION
The DVWA application does not lockout a user account or provides CAPTCHA
when 'n' failed login attempts is made. Cybereaon analysts tried with a threshold
of 15 failed login attempts during which account neither locked out or a
CAPTCHA was provided.

EXHIBITS
Step 1
Navigate to the login page of [Link]
[Link] and provide an invald username and password.

Step 2
Repeat step 1 multiple times. You will notice that application will
neither provide any CAPTCHA to the user or will block victim user's
account.

Step 3
Use a valid password and the application will redirect you to
the account details rather than displaying an error message
indicating that the account is locked out

11
IMPACT
An attacker can use brute force attack to guess valid password for an account. In a brute force attack,
automated software is used to generate a large number of consecutive guesses as to the value of
the desired data. Another form of brute force attack known as a dictionary attack might try all the
words in a dictionary to guess the user password. Moreover, due to the failure of strong password
policy control, this vulnerability is relatively easy to exploit.

RECOMMENDATION
Password brute force attacks can be prevented by providing user with a strong CAPTCHA
value upon 3 failed attempts. Additionally, blocking IP address or temporary account
lockout can be implemented after 15 failed attempts. The later method can also be
misused by an attacker to lock multiple user accounts and thereby creating a denial of
service like situation.

References: [Link]

12
4 INFORMATION LEAKAGE THROUGH HTTP RESPONSE HEADERS

Relative Risk Low

Vulnerability Class

CVSS 1.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C/CDP:N/TD:L/CR:M/IR:M/AR:M)

URL [Link]

Not Applicable
Parameter

OBSERVATION
The web server hosting DVWA application is misconfigured due to which application
server version is exposed to end users.

EXHIBITS
Step 1
Request any web page of the application and observe the response
headers through BURP suite as shown below,.
13
IMPACT
Attacker can know the version of the PHP running on the web server by the header and
can search for the known vulnerabilities of PHP 5.4.23 for further exploitation.
There is no direct impact to business with this vulnerability but falls under security best
practices.

RECOMMENDATION

14