With advancing web technologies, APIs play a crucial part in application architecture. APIs, if not tested properly, can lead to serious security vulnerabilities. DVWS or Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about web services / API-related vulnerabilities.
NOTE: Make sure you use DVWS-node (https://github.com/snoopysecurity/dvws-node), not DVWS ((https://github.com/snoopysecurity/dvws)), because the DVWS project is unsupported now.
What is DVWS?
Damn Vulnerable Web Sockets (DVWS) is a deliberately vulnerable and insecure web application that works on web sockets for client-server communication. It is written in Javascript and uses MySQL as its backend database. DVWS has several common web application functionalities that have been implemented in web sockets, which differs from typical web application communication. It allows users to put their web socket testing skills, tools, and scripts to the test.
Installing DVWS-node
For DVWS installation, we have used Kali Linux, and Oracle Virtual Box with Bridged Adapter for Network Configuration. Prerequisites: Make sure you have docker, docker-compose, and git installed inside your VM
Command #1: git clone https://github.com/snoopysecurity/dvws-node.git
Relocate to the directory
Command #2: cd dvws-node
Use the Docker-Compose file to fire up the DVWS containers
Command #3: docker-compose up -d
Check the status of the application Run state:
Command #4: docker ps -a
Since your application is online and VM network settings have been configured to bridged adapter, enter the following command to check your VM’s IP (should be in the same subnet as the host machine)
Command #5: ifconfig
Using DVWS-node
You can access your application using http://VM_IP_Address>:80
Play around with the application to get a general idea about itsfunctionality.
Understanding SQL Injections :- Error-based and Boolean-Based
Error-Based SQLi
With error-based SQL injection, the attacker attempts to insert a malicious query to get an error message containing private database information.
This example shows a URL that accepts a parameter from the user, in this case, the required item: http://johndoe.com/index.php?item=1
A single quote could be added by the attacker to the argument value:
http://johndoe.com/index.php?item=1
If the database displays the following error, the attack was successful
Through this error message, the attacker can find out:
- information about the MySQL database that was utilized
- The precise syntax — single quote — that resulted in the problem
- The query's syntax fault happened after the parameter value.
This is sufficient for a skilled attacker to determine that the server is linked to the database in an unsafe manner and to plan further destructive SQL injection attacks
A perfect example can be triggered in DVWS:
Open the passphrase generator section in DVWS
Intercept the Requests on Burpsuite Community using a proxy.
Generate a passphrase and save it, intercept it on Burp.
While intercepting, send the following particular request to the Repeater section and add a single quote to the POST JSON body parameters.
Analyzing the response, we can see that the Response body has SQLi error data, comprising of DB name and the particular SQL query used internally, this depicts OWASP API Top 2019’s A8 Injection attack – Error based.
Boolean-Blind SQLi
The Boolean-Blind injection is an exploit when the payload's output is not immediately visible in the application output, but the attacker can still deduce the payload’s output. This is feasible with SQL injection by effectively asking the database a series of true/false (Boolean) questions to ascertain database information.
Simple true/false examples include:
OR 1=1
AND 1=2
A perfect example can be triggered in DVWS:
While saving the passphrase, intercept the request packets using Burpsuite. Send the request below to the repeater and test for Error SQLi. Expected a DB error? None is displayed the in the response body.
We can use the Boolean blind payload to test for Boolean Blind injection.
Still unexpected behavior?
Try URL Encoded payload.
Voila! We were successful in triggering a Boolean blind-based SQLi attack.
Analyzing the response, we can see that the Response body has SQLi error data, comprising of DB name and the particular SQL query used internally, this depicts OWASP API Top 2019’s A8 Injection attack – Boolean Blind.
How can RAPIFUZZ help your product detect SQLi?
RAPIFUZZ has multiple test cases integrated, for testing REST APIs for OWASP API Top 10. You can use our free version to test your application for SQL injections and other API -related vulnerabilities.
DVWS – Error based SQLi detection RAPIFUZZ report screenshots: