DVWA

• user controls string which is passed to command line

• might be escaped, but correctly?

  • &&, &, |, ||, ;

  • recursive?

  • base64 encoded?

• Attacker defines request, which is sent with authentication cookie of the victim:

  • define link in email (only GET)

  • create website with malicious JS code (POST, DELETE, ..) and send link to this website to victim

• Mitigation:

  • SOP

  • CSRF token

  • SameSite cookie

• server loads/displays file, which is specified by user

• e.g.: use GET parameter to specifiy path of file

Mitigation:

• white-listing files

• white-listing directory where auto generated files are stored