dvwa updated

2018-10-12 15:49:58 +00:00 · 2018-10-12 15:49:58 +00:00 · c37af6fc80
commit c37af6fc80
parent 8f3c3af4fb
84 changed files with 1873 additions and 605 deletions
--- a/dvwa/vulnerabilities/csp/source/high.js
+++ b/dvwa/vulnerabilities/csp/source/high.js
@ -0,0 +1,19 @@
+function clickButton() {
+    var s = document.createElement("script");
+    s.src = "source/jsonp.php?callback=solveSum";
+    document.body.appendChild(s);
+}
+
+function solveSum(obj) {
+	if ("answer" in obj) {
+		document.getElementById("answer").innerHTML = obj['answer'];
+	}
+}
+
+var solve_button = document.getElementById ("solve");
+
+if (solve_button) {
+	solve_button.addEventListener("click", function() {
+		clickButton();
+	});
+}
--- a/dvwa/vulnerabilities/csp/source/high.php
+++ b/dvwa/vulnerabilities/csp/source/high.php
@ -0,0 +1,22 @@
+<?php
+$headerCSP = "Content-Security-Policy: script-src 'self';";
+
+header($headerCSP);
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>The page makes a call to ' . DVWA_WEB_PAGE_TO_ROOT . '/vulnerabilities/csp/source/jsonp.php to load some code. Modify that page to run your own code.</p>
+	<p>1+2+3+4+5=<span id="answer"></span></p>
+	<input type="button" id="solve" value="Solve the sum" />
+</form>
+
+<script src="source/high.js"></script>
+';
+
--- a/dvwa/vulnerabilities/csp/source/impossible.js
+++ b/dvwa/vulnerabilities/csp/source/impossible.js
@ -0,0 +1,19 @@
+function clickButton() {
+    var s = document.createElement("script");
+    s.src = "source/jsonp_impossible.php";
+    document.body.appendChild(s);
+}
+
+function solveSum(obj) {
+	if ("answer" in obj) {
+		document.getElementById("answer").innerHTML = obj['answer'];
+	}
+}
+
+var solve_button = document.getElementById ("solve");
+
+if (solve_button) {
+	solve_button.addEventListener("click", function() {
+		clickButton();
+	});
+}
--- a/dvwa/vulnerabilities/csp/source/impossible.php
+++ b/dvwa/vulnerabilities/csp/source/impossible.php
@ -0,0 +1,23 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self';";
+
+header($headerCSP);
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>Unlike the high level, this does a JSONP call but does not use a callback, instead it hardcodes the function to call.</p><p>The CSP settings only allow external JavaScript on the local server and no inline code.</p>
+	<p>1+2+3+4+5=<span id="answer"></span></p>
+	<input type="button" id="solve" value="Solve the sum" />
+</form>
+
+<script src="source/impossible.js"></script>
+';
+
--- a/dvwa/vulnerabilities/csp/source/jsonp.php
+++ b/dvwa/vulnerabilities/csp/source/jsonp.php
@ -0,0 +1,13 @@
+<?php
+header("Content-Type: application/json; charset=UTF-8");
+
+if (array_key_exists ("callback", $_GET)) {
+	$callback = $_GET['callback'];
+} else {
+	return "";
+}
+
+$outp = array ("answer" => "15");
+
+echo $callback . "(".json_encode($outp).")";
+?>
--- a/dvwa/vulnerabilities/csp/source/jsonp_impossible.php
+++ b/dvwa/vulnerabilities/csp/source/jsonp_impossible.php
@ -0,0 +1,7 @@
+<?php
+header("Content-Type: application/json; charset=UTF-8");
+
+$outp = array ("answer" => "15");
+
+echo "solveSum (".json_encode($outp).")";
+?>
--- a/dvwa/vulnerabilities/csp/source/low.php
+++ b/dvwa/vulnerabilities/csp/source/low.php
@ -0,0 +1,22 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com  example.com code.jquery.com https://ssl.google-analytics.com ;"; // allows js from self, pastebin.com, jquery and google analytics.
+
+header($headerCSP);
+
+# https://pastebin.com/raw/R570EE00
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	<script src='" . $_POST['include'] . "'></script>
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p>
+	<input size="50" type="text" name="include" value="" id="include" />
+	<input type="submit" value="Include" />
+</form>
+';
--- a/dvwa/vulnerabilities/csp/source/medium.php
+++ b/dvwa/vulnerabilities/csp/source/medium.php
@ -0,0 +1,25 @@
+<?php
+
+$headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';";
+
+header($headerCSP);
+
+// Disable XSS protections so that inline alert boxes will work
+header ("X-XSS-Protection: 0");
+
+# <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script>
+
+?>
+<?php
+if (isset ($_POST['include'])) {
+$page[ 'body' ] .= "
+	" . $_POST['include'] . "
+";
+}
+$page[ 'body' ] .= '
+<form name="csp" method="POST">
+	<p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p>
+	<input size="50" type="text" name="include" value="" id="include" />
+	<input type="submit" value="Include" />
+</form>
+';