Cross-Site Request Forgery
The course is part of this learning path
This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.
Hi, within this lecture we're going to start working on Metasploitable tool. As I said in the previous lecture, we're going to have to log in one more time over here and we're going to have to actually correct one bug so that we can make it right and we can start working on the vulnerabilities. So, in order to do that I'm going to log in one more time with msfadmin and msfadmin. And if you haven't logged out then it's perfectly okay. Just continue to watch the video and see what I'm about to do.
But I'm typing my password and again the password is not showing but it's typing. Just hit 'Enter' after you type msfadmin. Now we are inside of the Metasploitable. Just leave it there. We're going to come back to here. If you type i-f-config or ifconfig over here, you can see the IP address which is 10.0.2.5 for me. It will be different for you. It really doesn't matter what it is. Just take note of that IP address because we're going to use it to reach it like we did in the Bee-Box actually. So, I'm going to come over here and type 10.0.2.5 and Burp is on, so I'm going to turn off the FoxyProxy.
If I hit 'Enter' then it will be opened for me. Here we go. Now this is Metasploitable2 machine. And as I said before we're not only going to focus on one vulnerable website in this machine but rather we have a couple of those and we're going to focus on Mutillidae and DVWA mainly. Okay, but this is a website like in the Bee-Box and we're going to continue browsing the Mutillidae and DVWA and see what kind of vulnerabilities we can see over there and learn about them. And in fact you will see some similar vulnerabilities as well. But it's always a good idea to have a couple of options like bWAPP and Metasploitable. And now we're going to move on to some really updated, up-to-date, and really using the same technology framework which is juice shop as well. But right now I'm going to skip the TWiki or phpMyAdmin. I'm going to focus on the Mutillidae and DVWA. So, right now just click on the 'Mutillidae' and as you can see this is a website as well. It's born to be hacked, it's vulnerable, and we're going to see how it works. So, this is deliberately vulnerable and we're going to find the vulnerabilities and learn about new techniques.
We're not going to repeat ourselves but it can actually be much better to work in Metasploitable when it comes to some kind of vulnerabilities like SQL injection. I'm going to show you why later on. So, DVWA is another possibility that we can explore. The username and password is like that admin and password. So, make sure you write admin over here and password over here and you can log in and see what it looks like as well. So, as you can see this is a website as well and it contains some of the vulnerabilities that we're going to cover. But before we go on and start working on web pentesting on that, we need to make some configuration as I said before, it has something to do with the database system of the Mutillidae. So, let me show you what we're going to do if you come over here. As you can see it's not logged in, so we can try to create a new login or new user here to log in. And this is a regular form that we get in any website like login, register. So, if we try to register here with something like admin, password, okay, we will see some error. So, as you can see this error is not a very regular error, it's not a part of the vulnerability or it's not part of any challenge.
So, let me prove you by that coming over here. So, we will see some kind of an error message later on. But if you go to register, for example, if you choose any username like this Atil. Okay. I'm going to give a random password like 123456. I'm going to confirm that password and I'm going to give just a signature over here and say 'Create Account' and as you can see it actually fails to create account as well. So, the error message here is that the metasploit.accounts does not exist. So, it isn't supposed to be that way. It's not a part of a challenge as I said before. It has something to do with the configuration of the databases and it's configured in a non-regular way, incorrect way. So, we need to make it right. And in order to do that we need to go back to our Metasploitable machine and log in and change some settings. So, before we start anything I need to come over here. Okay, I'm inside of my Metasploitable machine as you can see, if you're not logged in, you have to log in. After you log in, just follow me along with this one. Again, it's not a part of any challenge. There is no logic in that. But we have to make it right.
So, what we're going to do, we're going to just go to the databases and we're going to change some configuration. So, I'm going to write nano. So, we're using nano text editor in order to change a file and just open a / and say var. Okay so, www and mutillidae, so make sure you spell it right. So, rather than HTML we are going into the mutillidae, right like this double ls. Okay, why do we do that? Because we don't have only one web page or only one web application here. We have multiple. So, we are trying to change the configuration.ini file; config.ini file inside of the Mutillidae website. Okay, so make sure you write exactly the same way that I have written this. Pause the video if you want and write exactly in a way that I did it, nano space and / and then var www mutillidae config.ini. And I believe we have to do sudo nano because we're not root in this one and it will ask us for the password. So, I'm going to write the password one more time and hit 'Enter' and here you go. It opened. But I believe we made a spelling mistake, even though I said so many times you have to spell it right. I believe I have put something wrong. Let me see what it is. Here you go. If you want to come out of this, you can just hit 'Control-X' to come out of nano. And if I hit on the 'Up arrow', it will open one more time. It should be inc, not .ini, but .inc, okay. So, configuration file, so this is the one that we are looking for. So, as you can see this is a php code and it actually specifies some of the parameters of the database that we are using. So, in this case there is a misconfiguration, you can just use your arrow keys on your keyboard in order to wander around in this configuration file. So, if you hit 'Down', you can come over here to dbname which is the database name, it's written as metasploit but in fact it has to be owasp10. Okay? So, after you change this, you can hit 'Control-O' and 'Enter' to save this. Okay, just make it right owasp10 and I haven't deleted the single quotation marks. As you can see I'm writing between them, inside of them. So, after you do that, hit 'Control-O' and hit 'Enter' to save this and then you can hit 'Control-X' to exit out of this one. So, 'Control-O', 'Enter', 'Control-X' and here you go. Now we are out, we can clear this and start working on this database. So, let me go back and see if we make things right. So, where is our Kali Linux?
Here you go. Now I'm going to come over here to login, register one more time to register and just give the same username and the same password like 123456, 123456. Just choose the signature and then click on 'Create Account' and here you go. Now my account is created and if I try to log in with that, let me come over here and log in and here you go. Now we are logged in. Now everything seems to be working. We are ready to start pen testing against Mutillidae and see different kind of vulnerabilities and see new techniques about bug bounty hunting as well. So, we're going to stop here and continue within the next lecture where we talk about cookies and then something called CSRF. We're going to see what are those.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.