DVWA Javascript attacks

Starting the challenge

Low level — Understanding the application

POST /vulnerabilities/javascript/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/javascript/
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
DNT: 1
Connection: close
Cookie: PHPSESSID=c8f9p19iv3b8s0cm58d7pm1e25; security=low
Upgrade-Insecure-Requests: 1
token=8b479aefbd90795395b3e7089ae0dc09&phrase=success&send=Submit
$ echo -n "8b479aefbd90795395b3e7089ae0dc09"| wc -c
32
echo -n "PunatrZr" | md5sum
8b479aefbd90795395b3e7089ae0dc09
echo -n "success" | md5sum
260ca9dd8a4577fc00b7bd5810298076

Low level — Exploiting the vulnerability

function rot13(inp) {
return inp.replace(/[a-zA-Z]/g,function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);});
}
function generate_token() {
var phrase = document.getElementById("phrase").value;
document.getElementById("token").value = md5(rot13(phrase));
}
generate_token();
$ echo 'PunatrZr' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
ChangeMe
alias rot13="tr 'A-Za-z' 'N-ZA-Mn-za-m'"
echo -n "success" | rot13 | md5sum
38581812b435834ebf84ebcc2c6424d6

Medium level

<form name="low_js" method="post">
<input type="hidden" name="token" value="" id="token" />
<label for="phrase">Phrase</label> <input type="text" name="phrase"value="ChangeMe" id="phrase" />
<input type="submit" id="send" name="send" value="Submit" />
</form>
<script src="/vulnerabilities/javascript/source/medium.js">
</script>
function do_something (e) {
for (var t = '', n = e.length - 1; n >= 0; n--)
t += e[n];
return t;
}
setTimeout (function () {
do_elsesomething ('XX');
}, 300);
function do_elsesomething (e) {
document.getElementById ('token').value = do_something (
e + document.getElementById ('phrase').value + 'XX'
);
}

High level

POST /vulnerabilities/javascript/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/javascript/
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
Cookie: PHPSESSID=120fgd8orft160g1ot137588k2; security=high
Connection: close
Upgrade-Insecure-Requests: 1
token=28638d855bc00d62b33f9643eab3e43d8335ab2b308039abd8fb8bef86331b14&phrase=ChangeMe&send=Submit
(function(array_to_shift, nb_shift) {
var shift_function = function(nb_shift_bis) {
// Shift the array "a" 0x1f4 + 1 times = 501 times
while (--nb_shift_bis) {
array_to_shift["push"](array_to_shift["shift"]());
}
};
shift_function(++nb_shift);
})(special_array, 0x1f4);
// Return a[index],
var get_element_from_a = function(index, unused_parameter) {
index = index - 0x0;
var element = special_array[index];
return element;
};
(function(d, e, f, g, h, i) {
function() {
// function that seems to define the sha256 function used later
})();
// Functions that help crafting the token
function do_something(e) {
for (var t = "", n = e.length - 1; n >= 0; n--) t += e[n];
return t;
}
function token_part_3(t, y = "ZZ") {
document.getElementById("token").value = sha256(
document.getElementById("token").value + y
);
}
function token_part_2(e = "YY") {
document.getElementById("token").value = sha256(
e + document.getElementById("token").value
);
}
function token_part_1(a, b) {
document.getElementById("token").value = do_something(
document.getElementById("phrase").value
);
}
// The rest of the code defines how the token are constructed
document.getElementById("phrase").value = "";
setTimeout(function() {
token_part_2("XX");
}, 300);
document.getElementById("send").addEventListener("click", token_part_3);
token_part_1("ABCD", 44);
token_part_1("ABCD", 44)
"sseccus"
token_part_2("XX")
7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a
echo -n "XXsseccus" | sha256sum
7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068a
token_part_3(null, "ZZ")
ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84
echo -n "7f1bfaaf829f785ba5801d5bf68c1ecaf95ce04545462c8b8f311dfc9014068aZZ" | sha256sum
ec7ef8687050b6fe803867ea696734c67b541dfafb286a0b1239f42ac5b0aa84

Hey wassup everybody.I am security analyst analyzing malicious files and analyzing the attacks patterns, and also a bug bounty hunter.