Audioblend
Shared by appy via Audioblend Pro · 20 views
Shared Dossier · DVWA — Damn Vulnerable Web App

Vulnerability Report

18
OWASP
critical
3
high
3
medium
2
low
0
info
0
Duration: 47.2sModel: google/gemini-2.5-proGenerated: 5/20/2026

Detailed Findings

Component
vulnerabilities/sqli/source/low.php
Description
User-controlled input $_REQUEST['id'] is concatenated directly into a SQL query with no sanitisation or parameterisation. Classic first-order SQL injection.
Exploitation
GET /vulnerabilities/sqli/?id=1' UNION SELECT user,password FROM users-- - dumps every password hash in the database. Boolean / time-based blind variants also work.
Impact
Full database compromise: user credentials, PII, application secrets. Attacker can pivot to authentication bypass and (via INTO OUTFILE on misconfigured MySQL) write a webshell for RCE.
Fix
Use mysqli_prepare with bound parameters. Never concatenate user input into SQL. Apply principle of least privilege to the DB user (no FILE permission).
Suggested Patch
$stmt = mysqli_prepare($conn, "SELECT first_name, last_name FROM users WHERE user_id = ?");
mysqli_stmt_bind_param($stmt, "i", $id);
mysqli_stmt_execute($stmt);

Attack Chains

Critical

Full Application Takeover via SQLi → Auth Bypass → RCE

  1. Attacker uses union-based SQLi in /vulnerabilities/sqli/?id= to dump users table and password hashes
  2. Cracks weak MD5 password hash for admin account (no salt, fast hash)
  3. Logs into admin panel; session cookie lacks HttpOnly/Secure flags
  4. Uses Command Injection in /vulnerabilities/exec/ to run arbitrary shell commands as web user
  5. Writes PHP webshell to writable upload directory; obtains persistent RCE
High

Account Takeover via Stored XSS → CSRF

  1. Attacker submits guestbook entry containing <script src=evil.js>
  2. Admin visits guestbook page; payload exfiltrates session cookie (no HttpOnly)
  3. Attacker replays session OR triggers CSRF on /vulnerabilities/csrf/ to change admin password (no CSRF token)
  4. Full admin account takeover
High

Mass Data Exfiltration via IDOR

  1. Attacker authenticates as low-privilege user
  2. Iterates user_id parameter on profile endpoint; no ownership check
  3. Dumps PII for every account in the system

Recommendations

  • [01]Replace ALL raw SQL string concatenation with parameterized prepared statements (mysqli_prepare / PDO).
  • [02]Enforce a strict Content-Security-Policy (no inline scripts, no unsafe-eval) and HTML-escape every user-controlled value on output.
  • [03]Remove all calls to shell_exec/exec/system on user input. If shell-out is unavoidable, use a strict allowlist + escapeshellarg.
  • [04]Migrate password storage from MD5 to argon2id (or bcrypt with cost ≥ 12). Force a password reset on next login.
  • [05]Add CSRF tokens (synchronizer pattern) on every state-changing form; verify Origin/Referer headers.
  • [06]Set cookies with HttpOnly, Secure, and SameSite=Lax (or Strict) flags. Rotate session IDs on privilege change.
  • [07]Add per-object authorization checks (verify the resource belongs to the requesting user) on every endpoint that accepts an ID.
  • [08]Restrict file uploads by MIME-type, extension allowlist, and store outside the webroot. Re-encode images server-side.
  • [09]Enable HSTS (max-age ≥ 31536000; includeSubDomains; preload) and redirect all HTTP traffic to HTTPS.
  • [10]Add rate-limiting and account lockout on the login endpoint to break credential-stuffing.
Powered by Audioblend