User Account

All Pages

What is the password for the admin account

Assignment Help JAVA Programming
Reference no: EM131768773

Application Attacks using the OWASP Mutillidae II Environment

OWASP Mutilidae is an intentionally vulnerable, open source, web application that focuses on the OWASP Top 10.

The application runs remotely at the hack.me website, however a full version is available from IronGeek.com that can be set up in a VM on the desktop. To enable "hints", click the "Toggle Hints" button on the menu bar once to activate level-1 hints.

Level-1 hints generate dynamic boxes that provide vulnerability information, including discovery and exploitation. Level-2 hints are activated by clicking a second time and provide tutorials By default, no hints are provided (level 0).

For each of the labs, be certain that you are jotting down your ideas for mitigating the vulnerabilities that would allow the attacks.

Morning Activities

Lab 1. SQL Injection Video

1. View the movie "Walking through Walls"  and answer the following questions:

a. What was the significance of the tester removing the JavaScript code from the page?

b. What measures could be put into place to ensure that this attack was not successful?

Lab 2. Directory Browsing for Robots.txt

Sites use the robots.txt file to deter crawlers from indexing certain pages at the site that may contain sensitive information. To most hackers, the presence of a robots.txt file simply lets them know what files are the most interesting! In this lab, you will change the directory path in your URL to point it to the robots.txt file.

1. Start a new Mutillidae sandbox by logging in and creating a new sandbox (accepting the Terms of Service, or TOS).

2. From the Mutillidae Main Menu, select "OWASP Top 10" -> "A6 - Security Misconfiguration" -> "Directory Browsing" ->

3. At the Directory Browsing page, browse to the robots.txt file by highlighting the current page in the folder, after hack.me/, as shown below:and replacing the highlighted text with robots.txt . What pages or folders did you find that might be of interest to you?

4. Take a screenprint of this page!

Lab 3. Broken Authentication and Session Management (Authentication Bypass using SQL Injection).

In this lab, we will bypass authentication by injecting SQLcode at a login prompt to gain unauthorized access to a vulnerable web server - Multillidae.

1. Start a new Mutillidae sandbox by logging in and creating a new sandbox (accepting the Terms of Service, or TOS).

2. From the Mutillidae Main Menu, select "OWASP Top 10" -> "A3 - Broken Authentication and Session Management" -> "Login" ->

3. At the Login screen, under the Please sign-in box, enter hacker for the Name and "' or 1=1 -- " for the Password and click on the Login box.

4. In the upper right-hand screen, who are you now logged in as?Take a screenprint of this page!
You have completed this lab.Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.

Lab 4a -Persistent Cross-Site Scripting (XSS)

Persistent Cross-Site Scripting is a more damaging version of XSS than are reflective XSS attacks as the injection is permanently stored in the source, such as the comments to a video or blog.In this lab, we will leverage a bug in the vulnerable server to add to the blog.php code, using a Persistent XSS technique. This will allow us to store a windows alert popup box.

1. Start a new Mutillidae sandbox by logging in and creating a new sandbox (accepting the Terms of Service, or TOS).

2. From the Mutillidae Main Menu, select "OWASP Top 10" -> "A2 - Cross Site Scripting (XSS)" -> "Persistent (Second Order)" -> "Add to your blog".

3. To test the site for the vulnerability, enter in the following text below the comment box: <script>alert("Hello from your friendly hacker community")</script>We will be looking for a popup box with our text to display if we are successful.

4. Click the OK button to close the popup box.

5. Navigate back to the View Blogslink by selecting "OWASP Top 10" -> "A2 - Cross Site Scripting (XSS)" -> "Persistent (Second Order)" -> "View someone's blog".

6. At the "Please Choose Author" drop-down box, select Show All to show all blog entries and then click on the View Blog Entries button.

7. Click theOK button. You should notice that the XSS injection text is persistently stored in the blog.Take a screenprint of this page!

You have completed this lab.Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.

Lab 4b - Persistent Cross-Site Scripting (XSS)

Let's try to extend this lab a bit in order to add an iframe.

1. From the Mullitidae Main Menu, select "OWASP Top 10" -> "A2 - Cross Site Scripting (XSS)" -> "Persistent (Second Order)" -> "Add to your blog".

2. In the text box, place the following:(Go to website-2600)

3. Click the Save Blog Entry button to save the text.

4. You will now see your site displayed in the comments, which also could have been used to run fairly malicious scripts.Take a screenprint of this page!

You have completed this lab.Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.

Lab 5- SQL Injection Lab

1. From the MullitidaeMain Menu, select "OWASP Top 10" -> "A1 - SQL Injection" -> "SQLi - Extract Data" -> "User Info".

2. At the "User Information" page, attempt toview the information for Name admin and password of Password.

a. Were you successful?

b. What information was returned to you by the webapplication that might help further your information gathering at this site?Take a screenprint of this page!

3. Now,simplyinject the SQL command (copy and paste it) into the Name field: "' or 1=1 -- " and click on the View Account Details button.

a. What information is returned?

b. What is the password for the Admin account?

c. Can you explain why? Take a screenprint of this page!

4. Intentionally enter in incorrect SQL syntax into the password field: "' or 1=1 " (without the trailing dashes - you can copy and paste this into the password field).

a. What information was returned that might be helpful to you in furthering an attack on this server?Take a screenprint of this page!

You have completed this lab.Please reset the database by clicking on the Home link on the Menu Bar and then on the Reset DB link on the Menu Bar to return the tables to their original state.

Reference no: EM131768773

Questions Cloud

Prepare a proposal using a balanced scorecard approach : Your boss wants to ensure this project will be prioritized over other projects on the list and will be implemented in the coming year.
Discuss about the message on the answering machine : On January 1, Seller sent a letter to Buyer offering to sell to Buyer 5,000 widgets for $25 apiece. The letter also stated: "This offer is binding.
Compute the direct materials price variance for last month : Last month, 2,000 pounds of direct materials were purchased for $7,600. The direct materials price variance for last month was
Discuss what is the amount of the net working capital : The firm has net fixed assets of $152,800. What is the amount of the net working capital
What is the password for the admin account : What was the significance of the tester removing the JavaScript code from the page?What is the password for the Admin account?
What is the present value of the following future amount : What is the present value of the following future amount, How many years will the following take
Determining the contract under the cisg : On December 1, Seller sent Buyer an offer to sell 5,000 widgets to Buyer for $25 apiece. The offer stated: "The offer will remain open until December 31."
What are your actors motivations : How you want your actors to act, speak, and move. What are your actors' motivations? The play's setting and how you'll re-create it.
What are the buyer responsibilities under the cisg : Buyer received a letter in her mail on January 1 offering to sell Buyer 5,000 widgets for $20 apiece. Seller's letter closed with the following statement.

Reviews

Write a Review

JAVA Programming Questions & Answers

  Recursive factorial program

Write a class Array that encapsulates an array and provides bounds-checked access. Create a recursive factorial program that prompts the user for an integer N and writes out a series of equations representing the calculation of N!.

  Hunt the wumpus game

Reprot on Hunt the Wumpus Game has Source Code listing, screen captures and UML design here and also, may include Javadoc source here.

  Create a gui interface

Create GUI Interface in java programing with these function: Sort by last name and print all employees info, Sort by job title and print all employees info, Sort by weekly salary and print all employees info, search by job title and print that emp..

  Plot pois on a graph

Write a JAVA program that would get the locations of all the POIs from the file and plot them on a map.

  Write a university grading system in java

University grading system maintains number of tables to store, retrieve and manipulate student marks. Write a JAVA program that would simulate a number of cars.

  Wolves and sheep: design a game

This project is designed a game in java. you choose whether you'd like to write a wolf or a sheep agent. Then, you are assigned to either a "sheep" or a "wolf" team.

  Build a graphical user interface for displaying the image

Build a graphical user interface for displaying the image groups (= cluster) in JMJRST. Design and implement using a Swing interface.

  Determine the day of the week for new year''s day

This assignment contains a java project. Project evaluates the day of the week for New Year's Day.

  Write a java windowed application

Write a Java windowed application to do online quiz on general knowledge and the application also displays the quiz result.

  Input pairs of natural numbers

Java program to input pairs of natural numbers.

  Create classes implement java interface

Interface that contains a generic type. Create two classes that implement this interface.

  Java class, array, link list , generic class

These 14 questions covers java class, Array, link list , generic class.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd