Attack DVWA weak session IDs

This article is based on a How to deploy DVWA with Termux and attack it with PentestSuite?. If you haven't read it, check it before reading this article would be a good idea. <3

Preparation

Since we've set the server to listen on port 8080. Normally PentestSuite server also listen on port 8080 in default situation. So first we need to change the port in the proxy section of PentestSuite:

You can set the PentestSuite server listen on port 8081 like I do, or any port that the apache2 server does not listen on.

Because DVWA does not use SSL/TLS, you don't have to turn SSL Parser on to parse SSL/TLS packages directly. 

After you have turn ON/OFF on. Generate the internal browser, and enter the URL:

http://192.168.1.4:8080/DVWA-master/login.php

Here, please note that we can't directly use loop back address 127.0.0.1 but have to use your local area network address, like 192.168.1.4 in my case.That's because PentestSuite won't be able to capture the traffic and internal browser will direct connect to the server without using proxy server if 127.0.0.1 is used. 

Now login with credentials admin/password and come to Weak Session IDs, currently you can see I set the Security level to impossible. You can change this level in DVWA Security section in the left list where the following picture shows.

Start hacking

Click Generate first.

Now come to PentestSuite to see the traffic.

Normally if you just want to see what happened about proxy behavior, just click PROXY VIEW.
And notice that No.73 and No.74 share the same host:
127.0.0.1:47407 and 192.168.1.4:8080
(Sorry for this picture, my PentestSuite server actually listen on port 8080 and my Apache server listens on 8081, you could just see it as 8080 now)

Then click PEEK button of No.74.

In the case when security level is low,

See

Set-Cookie: dvwaSession=1

it definitely is a boolean value, so if you want to trigger something funny like privilege escalation, you could directly change it to some other value like 0.

Comments