Badstore.net is dedicated to helping you understand how hackers prey on
Web application vulnerabilities, and to showing you how to reduce your
exposure.
(http://www.badstore.net/)
prepare Lab.
- Virtual Box to run Lab1
- Mantra web Browser
- Owasp Zap to web proxie vunerabelity
assisment
Run Lab1 on VirtualBox and cek IP, use
ifconfig and we get IP lab1 192.168.56.101,
we can use IP to scan informatian
gathering in ZenMap
Operating System is Linux 2.4.x, port
open 80 for web, 443 and 3306 for MySql. couse port 80 opened we can access web using
browser by type IP on URL, we use Mantra web Browser. Before that run
owasp zap,
I have tired more than 3 practice and restart mantra web and owasp zap an then choosed menus on badstore.net,, but owasp zap did not cacth information from badstore. huft
oke..
get information from /robots.txt
we get information user-agent structure directory
/bacup, /cgi-bin, /suplier, /upload
type on url http://192.168.56.101/upload
type on url http://192.168.56.101/supplier/
we get a directory accounts and four accounts as supplier.
1. Cross Site Scripting
try to Cross site scripting use <script>alert("TEST");</script> on textarea gusetbox command and klik "Add Entry", we will eccounter allret "ATTACTTT".