Abstract: Vulnerability shooting range can not only help us practice penetration testing ability, but also help us analyze the mechanism of vulnerability formation, and learn how to repair and improve code ability. It can also help us detect the effect of various vulnerability scanners.

This article is shared by Huawei Cloud community “Web Vulnerability Target Building – WAVSep”, author: XuPlus.

Penetration test should not be an armchair strategist. In the process of learning penetration test knowledge, we usually need a test environment containing vulnerabilities for training. However, in the case of unauthorized penetration test attacks on websites, laws and regulations are touched, so we often need to build a vulnerability shooting range to avoid direct testing of unauthorized targets on the public network.

The vulnerability shooting range can not only help us practice our penetration testing ability, analyze the mechanism of vulnerability formation, but also learn how to repair and improve code ability. It can also help us detect the effect of various vulnerability scanners.

This paper will take SecTooladdict/WAVSep :The Web Application Vulnerability Scanner Evaluation Project as an example to learn how to build The target range, and combine The Vulnerability scanning service – Huawei Cloud to find The existing vulnerabilities.

Range set up

Let’s find a Linux machine to do the experiment

❯ cat /etc/os-release-pname ="Ubuntu" VERSION="18.04.2 LTS (Bionic Beaver)" ID= Ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 18.04.2 LTS" VERSION_ID="18.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionicCopy the code

docker

At present, most of the shooting range has docker version, and we use Docker to quickly build the shooting range. Docker installation reference website Install docker Engine on Ubuntu | docker Documentation installation manual, installation or use get.docker.com to automation

root in szvphisprd13003
> wget -qO- https://get.docker.com/ | bash
Copy the code

After the installation is complete, you need to configure the Docker image source to accelerate the image pulling time. Here configure the USTC source for acceleration, in /etc/docker-daemon. json

{
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
Copy the code

wavsep

WAVSEP is one of the classic vulnerability shooting ranges, including common Web vulnerabilities (SQL/XSS/PathTravseral/…) , including a large number of vulnerability scenarios and even fake vulnerabilities (detection scanner false positive rate), the current vulnerabilities are

  • Path Traversal/LFI: 816 test cases, implemented in 816 jsp pages(GET & POST)

  • Remote File Inclusion (XSS via RFI): 108 test cases, implementedin 108 jsp pages (GET & POST)

  • Reflected XSS: 66 test cases, implemented in 64 jsp pages (GET& POST)

  • Error Based SQL Injection: 80 test cases, implemented in 76 jsppages (GET & POST)

  • Blind SQL Injection: 46 test cases, implemented in 44 jsp pages(GET & POST)

  • Time Based SQL Injection: 10 test cases, implemented in 10 jsppages (GET & POST)

  • Unvalidated Redirect: 60 test cases, implemented in 60 jsp pages(GET & POST)

  • Old, Backup and Unreferenced Files: 184 test cases, implementedin 184 files (GET Only)

  • Passive Information Disclosure/Session Vulnerabilities(inspired/imported from ZAP-WAVE): 3 test cases of erroneous informationleakage, and 2 cases of improper authentication/information disclosure -implemented in 5 jsp pages

  • Experimental Test Cases (inspired/imported from ZAP-WAVE): 9additional RXSS test cases (anticsrf tokens, secret input vectors, tag signatures,etc), and 2 additional SQLi test cases (INSERT) – implemented in 11 jsp pages(GET & POST)

Use Docker to install WavSep:

Root in szvphisprd13003 in ~ ❯ docker search wavsep... Owaspvwad/The Web Application Vulnerability Scanner E... 6... Root in szvphisprd13003 in ~ ❯ docker pull owaspvwad/ WAVsep... Root in szvphisprd13003 in ~ ❯ docker run -itd -p 8080:8080 owaspvwad/wavsepCopy the code

Visit http://IP:8080/wavsep/ when you’re done

Holes found

Find problems on the range through manual testing and scanners

Manual testing

Take file inclusion vulnerability as an example, access

http://IP:8080/wavsep/active/LFI/LFI-Detection-Evaluation-GET-500Error/index.jsphttp://IP:8080/wavsep/active/LFI/LFI-Det ection-Evaluation-GET-500Error/Case01-LFI-FileClass-FilenameContext-Unrestricted-OSPath-DefaultFullInput-AnyPathReq-Read JSP? Target = / root/apache tomcat – 8.0.27 / webapps/wavsep/active/LFI/LFI – Detection error Evaluation – GET – 500 / content. ini

Manually change the target parameter to /etc/passwd. The passwd file is successfully read

Huawei cloud vulnerability scanning

1. Add assets and configure domain name authentication

Root in szvphisprd13003 in ~ ❯ docker ps 02e9031d5b59 owaspvwad/wavsep "/bin/sh -c 'sh ~/... 8 months ago Up 6 minutes 0.0.0.0:8080->8080/ TCP # root in szvphisprd13003 in ~ ❯ docker exec -it 02e9031d5b59 / bin/bash root @ 02 e9031d5b59: # / CD ~ / apache tomcat -- 8.0.27 / webapps/root / Root @ 02 e9031d5b59: ~ / apache tomcat - 8.0.27 / webapps/ROOT# echo d2NjX2NyeXB0ATQxNDU1MzVGNDM0MjQzOzMzMzAzNTM4MzUzMjM0NDUz NDMzMzQ0MTM4NDMzMTMwNDI0MjMzNDIzMzQzMzE0MTM0MzAzMzMzNDMzNjM4MzQzOTQ1MzgzNjM4MzMzNjM2NDQ0NTM2MzczMjQyNDEzMjQ0MzMzMDMy NDYzNDQ2MzU0NjMxMzEzMjM2MzYzOTM3NDUzNTM5NDI0MzM2NDUzNjQxNDEzNjMwMzYzNTMwMzk0NTM1MzAzMjM5NDQzNzQ0NDUzNDQyNDUzMzM1MzQ0 NDs7MzUzMDMwMzAzMDs4Q0NEMkJEOUVFNkIxOTlCQjk4Qjk1QTgzMUJBMEZBNDtDQTRDQjVENUM4RjI1N0ZDOzM3MzgzMzM0MzU2MTM1MzIyRDYyMzUz NzY1MkQzNDY1MzEzNzJENjI2MzYzMzUyRDM2NjIzNzY1MzczMDY1MzMzNTM2MzAzMDs+d2NjX2NyeXB0ATQxNDU1MzVGNDM0MjQzOzM5MzI0NDMyMzk0 NTM2NDMzMjM3MzA0MjM1NDMzNjM5MzQ0NDQxMzkzMDM4MzU0MTMxMzczNTMxNDI0MzQyMzE0NjMzNDQzNDM0MzIzMzQ0MzkzNTM0MzkzODQzNDYzOTMw MzEzNDQ2NDU0MzM0Mzk0NTQyMzgzOTQ2MzE0MzQ0OzszNTMwMzAzMDMwOzA4NDNFN0FEQzI3OUI0Q0QzNzA3RTNCN0YyMUM0RUIxO0MwODcyOTY0QjY0 ODk4MEM7MzczODMzMzQzNTYxMzUzMjJENjIzNTM3NjUyRDM0NjUzMTM3MkQ2MjYzNjMzNTJEMzY2MjM3NjUzNzMwNjUzMzM1MzYzMDMwOw+d2NjX2Nye XB0ATQxNDU1MzVGNDM0MjQzOzM5NDM0NjMxMzQzNDMyNDU0NTM5MzUzODM4NDE0MzM4MzAzNjQ1MzIzNDQ2MzYzNTQzNDYzMzQ1NDEzNjM5MzA7OzM1M zAzMDMwMzA7MjBGQzg0NThGODVFNUM4NUI5QzBCQzE2MDgxRENGRjk7N0QyNjgyMTMwN0U2M0JDODszNzM4MzMzNDM1NjEzNTMyMkQ2MjM1Mzc2NTJEM zQ2NTMxMzcyRDYyNjM2MzM1MkQzNjYyMzc2NTM3MzA2NTMzMzUzNjMwMzA7+IP:8080 > hwwebscan_verify.htmlCopy the code

Visit http://IP:8080/hwwebscan_verify.html to verify that the authentication file can be accessed to complete domain name authentication

2. Start scanning and change the target URL to

http://IP:8080/wavsep/active/index-main.jsp

The target url should not be http://IP:8080/wavsep/ because there is no such page the link crawler cannot crawl to the new page and will not scan any information

3. Wait until the scan is complete to view the vulnerability information

Click to follow, the first time to learn about Huawei cloud fresh technology ~