Question

Metasploitable2 also has deliberately vulnerable web applications preinstalled. The web server starts automatically when Metasploitable2 is booted. To access the web applications, open a web browser and enter the IPv4 address you have been using since Figure 10.19 . I can access mine by browsing to http://192.168.124.140 . As you see in Figure 10.22 , there are web applications that can be accessed from this page.

Figure 10.22 : Metasploitable2 web application home page

The Mutillidae web application contains all the vulnerabilities from the OWASP Top Ten (see Figure 10.23 ). If you scroll through the menus starting with the OWASP Top 10, the menus will cascade into subdirectories of vulnerabilities, including form caching and click‐jacking. Mutillidae allows the user to change the security level from 0 (completely and totally insecure) to 5 (secure). Additionally, three levels of hints are provided, ranging from “Level 0 – I try harder” (no hints) to “Level 2 – noob” (maximum hints). If the application is damaged by user injections and hacks, clicking the Reset DB button resets the application to its original state.

Figure 10.23 : Purposefully vulnerable scripts of OWASP Top 10

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application, and it really is damn vulnerable. As described on the DMVA home page shown in Figure 10.24 , its main purpose is to help security professionals test their skills and tools in a legal environment and help web developers better understand the processes of securing web applications.

Figure 10.24 : DVWA home page

The default DVWA username is admin, and the default password is password. Once you're inside the DVWA, you have the option of choosing different vulnerabilities and then using this tool to learn about each vulnerability and attempting to compromise the web application with that vulnerability.

For example, one of the vulnerabilities is SQL injection (SQLi). SQLi is a technique that is often used to attack data‐driven applications using code injection. This is done by including portions of the SQL statement in an entry field in an attempt to get the website to pass new commands to the database. The vulnerability occurs when user input is not valid and is unexpectedly executed. It is a well‐loved attack against websites, but it can be used to attack any type of MySQL, MSSQL, or PostgreSQL database. To learn how to create the rogue SQL commands, just use the DVWA to experiment.