Kleiner Ausflug ins Black-Hat Camp

  1. Einzeln oder in Teams verschiedene Tutorials durcharbeiten

  2. Lhotse angreifen

  3. ?

  4. Profit

Gruyere fka. Jarlsberg

DVWA Installation

  • sudo apt-get install gcc-multilib eglibc-source

  • sudo tar xzvf xampp-linux-*.tar.gz -C /opt

  • sudo unzip DVWA-1.0.7.zip -d /opt/lampp/htdocs/

  • sudo /opt/lampp/lampp start

  • http://127.0.0.1/dvwa/login.php (admin/password)

  • http://127.0.0.1/dvwa/setup.php

  • Setup -→ Create / Reset Database

  • DVWA Security -→ "Low"

  • Setup -→ Create / Reset Database

Beispiel-Aufgaben für DVWA

  • Guestbook (XSS-Stored)

    • Make "Defaced" Alarm popup

    • Display an Iframe with "heise.de"

    • Display Cookie in popup

    • Create Html-Page in pastehtml.com and redirect browser to it

  • Guestbook (CSRF)

    • Change Password via URL-CSRF (check with http://127.0.0.1/dvwa/login.php)

    • Change Password using curl (must use cookie from xss-attack)

    • Create HTML-Page with a link that changes a user’s password (when he’s logged in)

    • Create HTML-Page with invisible iframe that changes a user’s password (when he’s logged in)

Xss-Tutorials

Support