From 24973cee499b090d3ec56c3ecea7cf6dc46dab26 Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Fri, 16 Sep 2022 12:51:57 +0100 Subject: [PATCH 1/2] allowing authentication to be disabled --- config/config.inc.php.dist | 5 +++ dvwa/includes/dvwaPage.inc.php | 63 ++++++++++++++++++++++++---- vulnerabilities/brute/index.php | 2 +- vulnerabilities/captcha/index.php | 2 +- vulnerabilities/csp/index.php | 2 +- vulnerabilities/csrf/index.php | 2 +- vulnerabilities/exec/index.php | 2 +- vulnerabilities/fi/index.php | 2 +- vulnerabilities/javascript/index.php | 6 +-- vulnerabilities/sqli/index.php | 2 +- vulnerabilities/sqli_blind/index.php | 2 +- vulnerabilities/upload/index.php | 2 +- vulnerabilities/weak_id/index.php | 2 +- vulnerabilities/xss_d/index.php | 2 +- vulnerabilities/xss_r/index.php | 2 +- vulnerabilities/xss_s/index.php | 2 +- 16 files changed, 76 insertions(+), 24 deletions(-) diff --git a/config/config.inc.php.dist b/config/config.inc.php.dist index 47ed95c..e26844d 100644 --- a/config/config.inc.php.dist +++ b/config/config.inc.php.dist @@ -47,6 +47,11 @@ $_DVWA[ 'default_phpids_verbose' ] = 'false'; # The default is 'en'. You may wish to set this to either 'en' or 'zh'. $_DVWA[ 'default_locale' ] = 'en'; +# Disable authentication +# Some tools don't like working with authentication and passing cookies around +# so this setting lets you turn off authentication. +$_DVWA[ 'disable_authentication' ] = true; + define ("MYSQL", "mysql"); define ("SQLITE", "sqlite"); diff --git a/dvwa/includes/dvwaPage.inc.php b/dvwa/includes/dvwaPage.inc.php index 1cd7e5d..c4715c9 100644 --- a/dvwa/includes/dvwaPage.inc.php +++ b/dvwa/includes/dvwaPage.inc.php @@ -5,8 +5,6 @@ exit; } -session_start(); // Creates a 'Full Path Disclosure' vuln. - if (!file_exists(DVWA_WEB_PAGE_TO_ROOT . 'config/config.inc.php')) { die ("DVWA System error - config file not found. Copy config/config.inc.php.dist to config/config.inc.php and configure to your environment."); } @@ -26,8 +24,7 @@ // Set security cookie to impossible if no cookie exists if( in_array( $_DVWA[ 'default_security_level' ], $security_levels) ) { dvwaSecurityLevelSet( $_DVWA[ 'default_security_level' ] ); - } - else { + } else { dvwaSecurityLevelSet( 'impossible' ); } @@ -37,6 +34,31 @@ dvwaPhpIdsEnabledSet( false ); } +// This will setup the session cookie based on +// the security level. + +if (dvwaSecurityLevelGet() == 'impossible') { + $httponly = true; + $samesite = true; +} +else { + $httponly = false; + $samesite = false; +} + +$maxlifetime = 86400; +$secure = false; + +session_set_cookie_params([ + 'lifetime' => $maxlifetime, + 'path' => '/', + 'domain' => $_SERVER['HTTP_HOST'], + 'secure' => $secure, + 'httponly' => $httponly, + 'samesite' => $samesite +]); +session_start(); + if (!array_key_exists ("default_locale", $_DVWA)) { $_DVWA[ 'default_locale' ] = "en"; } @@ -65,7 +87,7 @@ function &dvwaSessionGrab() { function dvwaPageStartup( $pActions ) { - if( in_array( 'authenticated', $pActions ) ) { + if (in_array('authenticated', $pActions)) { if( !dvwaIsLoggedIn()) { dvwaRedirect( DVWA_WEB_PAGE_TO_ROOT . 'login.php' ); } @@ -103,6 +125,11 @@ function dvwaLogin( $pUsername ) { function dvwaIsLoggedIn() { + global $_DVWA; + + if (in_array("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) { + return true; + } $dvwaSession =& dvwaSessionGrab(); return isset( $dvwaSession[ 'username' ] ); } @@ -120,7 +147,7 @@ function dvwaPageReload() { function dvwaCurrentUser() { $dvwaSession =& dvwaSessionGrab(); - return ( isset( $dvwaSession[ 'username' ]) ? $dvwaSession[ 'username' ] : '') ; + return ( isset( $dvwaSession[ 'username' ]) ? $dvwaSession[ 'username' ] : 'Unknown') ; } // -- END (Session functions) @@ -139,7 +166,21 @@ function &dvwaPageNewGrab() { function dvwaSecurityLevelGet() { - return isset( $_COOKIE[ 'security' ] ) ? $_COOKIE[ 'security' ] : 'impossible'; + global $_DVWA; + + // If there is a security cookie, that takes priority. + if (isset($_COOKIE['security'])) { + return $_COOKIE[ 'security' ]; + } + + // If not, check to see if authentication is disabled, if it is, use + // the default security level. + if (in_array("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) { + return $_DVWA[ 'default_security_level' ]; + } + + // Worse case, set the level to impossible. + return 'impossible'; } @@ -150,7 +191,7 @@ function dvwaSecurityLevelSet( $pSecurityLevel ) { else { $httponly = false; } - setcookie( session_name(), session_id(), 0, '/', "", false, $httponly ); + setcookie( 'security', $pSecurityLevel, 0, "/", "", false, $httponly ); } @@ -560,6 +601,12 @@ function dvwaGuestbook() { // Token functions -- function checkToken( $user_token, $session_token, $returnURL ) { # Validate the given (CSRF) token + global $_DVWA; + + if (in_array("disable_authentication", $_DVWA) && $_DVWA['disable_authentication']) { + return true; + } + if( $user_token !== $session_token || !isset( $session_token ) ) { dvwaMessagePush( 'CSRF token is incorrect' ); dvwaRedirect( $returnURL ); diff --git a/vulnerabilities/brute/index.php b/vulnerabilities/brute/index.php index 86397d9..8a19a62 100644 --- a/vulnerabilities/brute/index.php +++ b/vulnerabilities/brute/index.php @@ -14,7 +14,7 @@ $method = 'GET'; $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/captcha/index.php b/vulnerabilities/captcha/index.php index 330a7eb..7cffaa2 100644 --- a/vulnerabilities/captcha/index.php +++ b/vulnerabilities/captcha/index.php @@ -15,7 +15,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/csp/index.php b/vulnerabilities/csp/index.php index aa189ff..0e90451 100644 --- a/vulnerabilities/csp/index.php +++ b/vulnerabilities/csp/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/csrf/index.php b/vulnerabilities/csrf/index.php index 84db9bd..79aaba8 100644 --- a/vulnerabilities/csrf/index.php +++ b/vulnerabilities/csrf/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/exec/index.php b/vulnerabilities/exec/index.php index 2ceb562..5fcb858 100644 --- a/vulnerabilities/exec/index.php +++ b/vulnerabilities/exec/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/fi/index.php b/vulnerabilities/fi/index.php index 20a0c91..8221069 100644 --- a/vulnerabilities/fi/index.php +++ b/vulnerabilities/fi/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/javascript/index.php b/vulnerabilities/javascript/index.php index 8dee828..fee09b7 100644 --- a/vulnerabilities/javascript/index.php +++ b/vulnerabilities/javascript/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; @@ -38,7 +38,7 @@ $token = $_POST['token']; if ($phrase == "success") { - switch( $_COOKIE[ 'security' ] ) { + switch( dvwaSecurityLevelGet() ) { case 'low': if ($token == md5(str_rot13("success"))) { $message = "

Well done!

"; @@ -72,7 +72,7 @@ } } -if ( $_COOKIE[ 'security' ] == "impossible" ) { +if ( dvwaSecurityLevelGet() == "impossible" ) { $page[ 'body' ] = <<

Vulnerability: JavaScript Attacks

diff --git a/vulnerabilities/sqli/index.php b/vulnerabilities/sqli/index.php index 4e7f4ca..fd41542 100644 --- a/vulnerabilities/sqli/index.php +++ b/vulnerabilities/sqli/index.php @@ -15,7 +15,7 @@ $method = 'GET'; $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/sqli_blind/index.php b/vulnerabilities/sqli_blind/index.php index ca9d0a8..4dd138f 100644 --- a/vulnerabilities/sqli_blind/index.php +++ b/vulnerabilities/sqli_blind/index.php @@ -15,7 +15,7 @@ $method = 'GET'; $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/upload/index.php b/vulnerabilities/upload/index.php index d96b6df..f5f623a 100644 --- a/vulnerabilities/upload/index.php +++ b/vulnerabilities/upload/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/weak_id/index.php b/vulnerabilities/weak_id/index.php index 911cb30..aa0c3a3 100644 --- a/vulnerabilities/weak_id/index.php +++ b/vulnerabilities/weak_id/index.php @@ -14,7 +14,7 @@ $method = 'GET'; $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/xss_d/index.php b/vulnerabilities/xss_d/index.php index 50255a2..5528dcb 100644 --- a/vulnerabilities/xss_d/index.php +++ b/vulnerabilities/xss_d/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/xss_r/index.php b/vulnerabilities/xss_r/index.php index 014327f..f47e726 100644 --- a/vulnerabilities/xss_r/index.php +++ b/vulnerabilities/xss_r/index.php @@ -14,7 +14,7 @@ dvwaDatabaseConnect(); $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; diff --git a/vulnerabilities/xss_s/index.php b/vulnerabilities/xss_s/index.php index 021ced2..b999754 100644 --- a/vulnerabilities/xss_s/index.php +++ b/vulnerabilities/xss_s/index.php @@ -19,7 +19,7 @@ } $vulnerabilityFile = ''; -switch( $_COOKIE[ 'security' ] ) { +switch( dvwaSecurityLevelGet() ) { case 'low': $vulnerabilityFile = 'low.php'; break; From c78c53510e5fcac7672fc13e049def4ed0646503 Mon Sep 17 00:00:00 2001 From: Robin Wood Date: Sat, 14 Jan 2023 22:31:17 +0000 Subject: [PATCH 2/2] Described auth bypass feature --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 3530d20..812d62d 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,22 @@ mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) ``` +### Disable Authentication + +Some tools don't work well with authentication so can't be used with DVWA. To get around this, there is a config option to disable authentication checking. To do this, simply set the following in the config file: + +```php +$_DVWA[ 'disable_authentication' ] = true; +``` + +You will also need to set the security level to one that is appropriate to the testing you want to do: + +```php +$_DVWA[ 'default_security_level' ] = 'low'; +``` + +In this state, you can access all the features without needing to log in and set any cookies. + ### Other Configuration Depending on your Operating System, as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.