first commit

dvwa/vulnerabilities/csrf/help/help.php

@@ -0,0 +1,57 @@
+<div class="body_padded">
+	<h1>Help - Cross Site Request Forgery (CSRF)</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.
+			With a little help of social engineering (such as sending a link via email/chat), an attacker may force the users of a web application to execute actions of
+			the attacker's choosing.</p>
+
+		<p>A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is
+			the administrator account, this can compromise the entire web application.</p>
+
+		<p>This attack may also be called "XSRF", similar to "Cross Site scripting (XSS)", and they are often used together.</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Your task is to make the current user change their own password, without them knowing about their actions, using a CSRF attack.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>There are no measures in place to protect against this attack. This means a link can be crafted to achieve a certain action (in this case, change the current users password).
+			Then with some basic social engineering, have the target click the link (or just visit a certain page), to trigger the action.</p>
+		<pre>Spoiler: <span class="spoiler">?password_new=password&password_conf=password&Change=Change</span>.</pre>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>For the medium level challenge, there is a check to see where the last requested page came from. The developer believes if it matches the current domain,
+			it must of come from the web application so it can be trusted.</p>
+		<p>It may be required to link in multiple vulnerabilities to exploit this vector, such as reflective XSS.</p>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>In the high level, the developer has added an "anti Cross-Site Request Forgery (CSRF) token". In order by bypass this protection method, another vulnerability will be required.</p>
+		<pre>Spoiler: <span class="spoiler">e.g. Javascript is a executed on the client side, in the browser</span>.</pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>In the impossible level, the challenge will extent the high level and asks for the current user's password. As this cannot be found out (only predicted or brute forced),
+			there is not an attack vector here.</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)' ); ?></p>
+</div>

dvwa/vulnerabilities/csrf/index.php

@@ -0,0 +1,76 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: Cross Site Request Forgery (CSRF)' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'csrf';
+$page[ 'help_button' ]   = 'csrf';
+$page[ 'source_button' ] = 'csrf';
+
+dvwaDatabaseConnect();
+
+$vulnerabilityFile = '';
+switch( $_COOKIE[ 'security' ] ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/csrf/source/{$vulnerabilityFile}";
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: Cross Site Request Forgery (CSRF)</h1>
+
+	<div class=\"vulnerable_code_area\">
+		<h3>Change your admin password:</h3>
+		<br />
+
+		<form action=\"#\" method=\"GET\">";
+
+if( $vulnerabilityFile == 'impossible.php' ) {
+	$page[ 'body' ] .= "
+			Current password:<br />
+			<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_current\"><br />";
+}
+
+$page[ 'body' ] .= "
+			New password:<br />
+			<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_new\"><br />
+			Confirm new password:<br />
+			<input type=\"password\" AUTOCOMPLETE=\"off\" name=\"password_conf\"><br />
+			<br />
+			<input type=\"submit\" value=\"Change\" name=\"Change\">\n";
+
+if( $vulnerabilityFile == 'high.php' || $vulnerabilityFile == 'impossible.php' )
+	$page[ 'body' ] .= "			" . tokenField();
+
+$page[ 'body' ] .= "
+		</form>
+		{$html}
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-Site_Request_Forgery' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'http://www.cgisecurity.com/csrf-faq.html' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_request_forgery ' ) . "</li>
+	</ul>
+</div>\n";
+
+dvwaHtmlEcho( $page );
+
+?>

dvwa/vulnerabilities/csrf/source/high.php

@@ -0,0 +1,35 @@
+<?php
+
+if( isset( $_GET[ 'Change' ] ) ) {
+	// Check Anti-CSRF token
+	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
+
+	// Get input
+	$pass_new  = $_GET[ 'password_new' ];
+	$pass_conf = $_GET[ 'password_conf' ];
+
+	// Do the passwords match?
+	if( $pass_new == $pass_conf ) {
+		// They do!
+		$pass_new = mysql_real_escape_string( $pass_new );
+		$pass_new = md5( $pass_new );
+
+		// Update the database
+		$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
+		$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
+
+		// Feedback for the user
+		$html .= "<pre>Password Changed.</pre>";
+	}
+	else {
+		// Issue with passwords matching
+		$html .= "<pre>Passwords did not match.</pre>";
+	}
+
+	mysql_close();
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>

dvwa/vulnerabilities/csrf/source/impossible.php

@@ -0,0 +1,48 @@
+<?php
+
+if( isset( $_GET[ 'Change' ] ) ) {
+	// Check Anti-CSRF token
+	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
+
+	// Get input
+	$pass_curr = $_GET[ 'password_current' ];
+	$pass_new  = $_GET[ 'password_new' ];
+	$pass_conf = $_GET[ 'password_conf' ];
+
+	// Sanitise current password input
+	$pass_curr = stripslashes( $pass_curr );
+	$pass_curr = mysql_real_escape_string( $pass_curr );
+	$pass_curr = md5( $pass_curr );
+
+	// Check that the current password is correct
+	$data = $db->prepare( 'SELECT password FROM users WHERE user = (:user) AND password = (:password) LIMIT 1;' );
+	$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
+	$data->bindParam( ':password', $pass_curr, PDO::PARAM_STR );
+	$data->execute();
+
+	// Do both new passwords match and does the current password match the user?
+	if( ( $pass_new == $pass_conf ) && ( $data->rowCount() == 1 ) ) {
+		// It does!
+		$pass_new = stripslashes( $pass_new );
+		$pass_new = mysql_real_escape_string( $pass_new );
+		$pass_new = md5( $pass_new );
+
+		// Update database with new password
+		$data = $db->prepare( 'UPDATE users SET password = (:password) WHERE user = (:user);' );
+		$data->bindParam( ':password', $pass_new, PDO::PARAM_STR );
+		$data->bindParam( ':user', dvwaCurrentUser(), PDO::PARAM_STR );
+		$data->execute();
+
+		// Feedback for the user
+		$html .= "<pre>Password Changed.</pre>";
+	}
+	else {
+		// Issue with passwords matching
+		$html .= "<pre>Passwords did not match or current password incorrect.</pre>";
+	}
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>

dvwa/vulnerabilities/csrf/source/low.php

@@ -0,0 +1,29 @@
+<?php
+
+if( isset( $_GET[ 'Change' ] ) ) {
+	// Get input
+	$pass_new  = $_GET[ 'password_new' ];
+	$pass_conf = $_GET[ 'password_conf' ];
+
+	// Do the passwords match?
+	if( $pass_new == $pass_conf ) {
+		// They do!
+		$pass_new = mysql_real_escape_string( $pass_new );
+		$pass_new = md5( $pass_new );
+
+		// Update the database
+		$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
+		$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
+
+		// Feedback for the user
+		$html .= "<pre>Password Changed.</pre>";
+	}
+	else {
+		// Issue with passwords matching
+		$html .= "<pre>Passwords did not match.</pre>";
+	}
+
+	mysql_close();
+}
+
+?>

dvwa/vulnerabilities/csrf/source/medium.php

@@ -0,0 +1,36 @@
+<?php
+
+if( isset( $_GET[ 'Change' ] ) ) {
+	// Checks to see where the request came from
+	if( eregi( $_SERVER[ 'SERVER_NAME' ], $_SERVER[ 'HTTP_REFERER' ] ) ) {
+		// Get input
+		$pass_new  = $_GET[ 'password_new' ];
+		$pass_conf = $_GET[ 'password_conf' ];
+
+		// Do the passwords match?
+		if( $pass_new == $pass_conf ) {
+			// They do!
+			$pass_new = mysql_real_escape_string( $pass_new );
+			$pass_new = md5( $pass_new );
+
+			// Update the database
+			$insert = "UPDATE `users` SET password = '$pass_new' WHERE user = '" . dvwaCurrentUser() . "';";
+			$result = mysql_query( $insert ) or die( '<pre>' . mysql_error() . '</pre>' );
+
+			// Feedback for the user
+			$html .= "<pre>Password Changed.</pre>";
+		}
+		else {
+			// Issue with passwords matching
+			$html .= "<pre>Passwords did not match.</pre>";
+		}
+	}
+	else {
+		// Didn't come from a trusted source
+		$html .= "<pre>That request didn't look correct.</pre>";
+	}
+
+	mysql_close();
+}
+
+?>