Merge pull request #523 from digininja/bypassauth

Disable Authentication
dgkizanis-nex · Jan 14, 2023 · 11fcc35 · 11fcc35
2 parents 4012004 + c78c535
commit 11fcc35
Show file tree

Hide file tree

Showing 17 changed files with 92 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -136,6 +136,22 @@ mysql> flush privileges;
 Query OK, 0 rows affected (0.00 sec)
 ```
 
+### Disable Authentication
+
+Some tools don't work well with authentication so can't be used with DVWA. To get around this, there is a config option to disable authentication checking. To do this, simply set the following in the config file:
+
+```php
+$_DVWA[ 'disable_authentication' ] = true;
+```
+
+You will also need to set the security level to one that is appropriate to the testing you want to do:
+
+```php
+$_DVWA[ 'default_security_level' ] = 'low';
+```
+
+In this state, you can access all the features without needing to log in and set any cookies.
+
 ### Other Configuration
 
 Depending on your Operating System, as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.

diff --git a/config/config.inc.php.dist b/config/config.inc.php.dist
@@ -47,6 +47,11 @@ $_DVWA[ 'default_phpids_verbose' ] = 'false';
 #   The default is 'en'. You may wish to set this to either 'en' or 'zh'.
 $_DVWA[ 'default_locale' ] = 'en';
 
+# Disable authentication
+#   Some tools don't like working with authentication and passing cookies around
+#   so this setting lets you turn off authentication.
+$_DVWA[ 'disable_authentication' ] = true;
+
 define ("MYSQL", "mysql");
 define ("SQLITE", "sqlite");
 

diff --git a/dvwa/includes/dvwaPage.inc.php b/dvwa/includes/dvwaPage.inc.php
@@ -5,8 +5,6 @@
 	exit;
 }
 
-session_start(); // Creates a 'Full Path Disclosure' vuln.
-
 if (!file_exists(DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php')) {
 	die ("DVWA System error - config file not found. Copy config/config.inc.php.dist to config/config.inc.php and configure to your environment.");
 }
@@ -26,8 +24,7 @@
 	// Set security cookie to impossible if no cookie exists
 	if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) {
 		dvwaSecurityLevelSet( $_DVWA[ 'default_security_level' ] );
-	}
-	else {
+	} else {
 		dvwaSecurityLevelSet( 'impossible' );
 	}
 
@@ -37,6 +34,31 @@
 		dvwaPhpIdsEnabledSet( false );
 }
 
+// This will setup the session cookie based on
+// the security level.
+
+if (dvwaSecurityLevelGet() == 'impossible') {
+	$httponly = true;
+	$samesite = true;
+}
+else {
+	$httponly = false;
+	$samesite = false;
+}
+
+$maxlifetime = 86400;
+$secure = false;
+
+session_set_cookie_params([
+	'lifetime' => $maxlifetime,
+	'path' => '/',
+	'domain' => $_SERVER['HTTP_HOST'],
+	'secure' => $secure,
+	'httponly' => $httponly,
+	'samesite' => $samesite
+]);
+session_start();
+
 if (!array_key_exists ("default_locale", $_DVWA)) {
 	$_DVWA[ 'default_locale' ] = "en";
 }
@@ -65,7 +87,7 @@ function &dvwaSessionGrab() {
 
 
 function dvwaPageStartup( $pActions ) {
-	if( in_array( 'authenticated', $pActions ) ) {
+	if (in_array('authenticated', $pActions)) {
 		if( !dvwaIsLoggedIn()) {
 			dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' );
 		}
@@ -103,6 +125,11 @@ function dvwaLogin( $pUsername ) {
 
 
 function dvwaIsLoggedIn() {
+	global $_DVWA;
+
+	if (in_array("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) {
+		return true;
+	}
 	$dvwaSession =& dvwaSessionGrab();
 	return isset( $dvwaSession[ 'username' ] );
 }
@@ -120,7 +147,7 @@ function dvwaPageReload() {
 
 function dvwaCurrentUser() {
 	$dvwaSession =& dvwaSessionGrab();
-	return ( isset( $dvwaSession[ 'username' ]) ? $dvwaSession[ 'username' ] : '') ;
+	return ( isset( $dvwaSession[ 'username' ]) ? $dvwaSession[ 'username' ] : 'Unknown') ;
 }
 
 // -- END (Session functions)
@@ -139,7 +166,21 @@ function &dvwaPageNewGrab() {
 
 
 function dvwaSecurityLevelGet() {
-	return isset( $_COOKIE[ 'security' ] ) ? $_COOKIE[ 'security' ] : 'impossible';
+	global $_DVWA;
+
+	// If there is a security cookie, that takes priority.
+	if (isset($_COOKIE['security'])) {
+		return $_COOKIE[ 'security' ];
+	}
+
+	// If not, check to see if authentication is disabled, if it is, use
+	// the default security level.
+	if (in_array("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) {
+		return $_DVWA[ 'default_security_level' ];
+	}
+
+	// Worse case, set the level to impossible.
+	return 'impossible';
 }
 
 
@@ -150,7 +191,7 @@ function dvwaSecurityLevelSet( $pSecurityLevel ) {
 	else {
 		$httponly = false;
 	}
-	setcookie( session_name(), session_id(), 0, '/', "", false, $httponly );
+
 	setcookie( 'security', $pSecurityLevel, 0, "/", "", false, $httponly );
 }
 
@@ -560,6 +601,12 @@ function dvwaGuestbook() {
 
 // Token functions --
 function checkToken( $user_token, $session_token, $returnURL ) {  # Validate the given (CSRF) token
+	global $_DVWA;
+
+	if (in_array("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) {
+		return true;
+	}
+
 	if( $user_token !== $session_token || !isset( $session_token ) ) {
 		dvwaMessagePush( 'CSRF token is incorrect' );
 		dvwaRedirect( $returnURL );

diff --git a/vulnerabilities/brute/index.php b/vulnerabilities/brute/index.php
@@ -14,7 +14,7 @@
 
 $method            = 'GET';
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/captcha/index.php b/vulnerabilities/captcha/index.php
@@ -15,7 +15,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/csp/index.php b/vulnerabilities/csp/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/csrf/index.php b/vulnerabilities/csrf/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/exec/index.php b/vulnerabilities/exec/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/fi/index.php b/vulnerabilities/fi/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/javascript/index.php b/vulnerabilities/javascript/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;
@@ -38,7 +38,7 @@
 		$token = $_POST['token'];
 
 		if ($phrase == "success") {
-			switch( $_COOKIE[ 'security' ] ) {
+			switch( dvwaSecurityLevelGet() ) {
 				case 'low':
 					if ($token == md5(str_rot13("success"))) {
 						$message = "<p style='color:red'>Well done!</p>";
@@ -72,7 +72,7 @@
 	}
 }
 
-if ( $_COOKIE[ 'security' ] == "impossible" ) {
+if ( dvwaSecurityLevelGet() == "impossible" ) {
 $page[ 'body' ] = <<<EOF
 <div class="body_padded">
 	<h1>Vulnerability: JavaScript Attacks</h1>

diff --git a/vulnerabilities/sqli/index.php b/vulnerabilities/sqli/index.php
@@ -15,7 +15,7 @@
 
 $method            = 'GET';
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/sqli_blind/index.php b/vulnerabilities/sqli_blind/index.php
@@ -15,7 +15,7 @@
 
 $method            = 'GET';
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/upload/index.php b/vulnerabilities/upload/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/weak_id/index.php b/vulnerabilities/weak_id/index.php
@@ -14,7 +14,7 @@
 
 $method            = 'GET';
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/xss_d/index.php b/vulnerabilities/xss_d/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/xss_r/index.php b/vulnerabilities/xss_r/index.php
@@ -14,7 +14,7 @@
 dvwaDatabaseConnect();
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;

diff --git a/vulnerabilities/xss_s/index.php b/vulnerabilities/xss_s/index.php
@@ -19,7 +19,7 @@
 }
 
 $vulnerabilityFile = '';
-switch( $_COOKIE[ 'security' ] ) {
+switch( dvwaSecurityLevelGet() ) {
 	case 'low':
 		$vulnerabilityFile = 'low.php';
 		break;