André Restivo

Web Security Exercises

1. SQL Injection

  1. Download, extract, and then run this very simple PHP project using:
php -S localhost:9000
  1. Inspect the project. You should have:
  1. Passwords are stored in SHA1 format. For example, the password for user 'johndoe' is '1234'. Try to log in and log out using that user's credentials.

  2. Now, let's try to log in with another user without knowing her password. Try this as a username:

' OR 1 = 1 GROUP BY username HAVING username='janedoe';--

No password is needed!

  1. Understand the vulnerability, and fix it!

2. Password Storage

  1. Continuing with the same example, notice that we are using SHA1 to store passwords and we are not using salt.

  2. Change the example so that we are using password_hash and password_verify.

  3. What are the advantages of using different salts for each user, even if we are storing everything in the same place?

3. Cross-Site Scripting (XSS)

  1. Download, extract, and then run this very simple PHP project using:
php -S localhost:9000
  1. Inspect the project. You should have:

Notice that usernames and passwords are still not being verified, but that is not important for now.

  1. Try creating a post using 'janedoe' as the username, and 'Goodbye!' as the text. A new post should appear.

  2. Now try this as the username:

notevil<script>console.log('Hello!!!')</script>

And this, as the text: 'This is a perfectly safe post.'.

  1. Check the developer console. We are executing JavaScript from injected code. This is XSS!

  2. Let's try something more dangerous:

Username:

stillnotevil<script>[...document.querySelectorAll('input')].forEach(i => i.addEventListener('input', function(){console.log(this.value)}))</script>

Text: 'This is also extremely safe!'.

  1. Try writing something in the username or password input field and watch the console. We could even be sending that data to a remote server using fetch...

  2. Try fixing the problem using several different strategies:

4. Cross-Site Request Forgery (CSRF)

(soon...)

5. Path Traversal

(soon...)