Vulnerability analysis Exploitation ------------------------------------ STUDENTS SETUP ------------------------------------ STEP 1: ngrok configuration - Sign up or login to ngrok https://ngrok.com/ - Install ngrok - Full instruction (Getting Started->Setup & Installation) https://dashboard.ngrok.com/get-started/setup - Configure your ngrok authtoken - From command line: ngrok config add-authtoken - Where can I find my token? (Getting Started->Your Authtoken) https://dashboard.ngrok.com/get-started/your-authtoken - See if ngrok has been correctly installed - From command line: ngrok help STEP 2: Start php server - Open a terminal - Create an empty directory and cd into it - From command line: mkdir phpServerDir; cd phpServerDir - Start php server listening to a selected port (in this example the port is 3333) - From command line: php -S localhost:3333 STEP 3: Make the php server accessible from outside the NAT network using ngrok - Open a new terminal - Use ngrok to link the local php server to a ngrok link (the port passed to ngrok must be the same as the port selected for the php server, in this example the port is 3333) - From command line: ngrok http 3333 The command output has a field Forwarding in the format: "Forwarding https://.eu.ngtok.io -> http://localhost:3333" Every request to https://.eu.ngtok.io will be redirected to the localhost port 3333. ----------------------------------------------------------------------------------------- ----------------------------------- XSS ATTACK ------------------------------------------ STEP 1: Using any browser connect to the link provided during the lab STEP 2: XSS attack - In any "Card #" field of the first webpage (index.php) write: - Replace https://.eu.ngtok.io with the link that ngrok provided in the "Forwarding" field. Remeber that between the ngrok link and the document.cookie there must be a forward slash '/'. - Submit the form by clicking the "Send your hand" button. The page sendcards.php must appear. - From the page sendcards.php click on the link below "Ask the Joker to see your cards" (the links points to askjoker.php). The first time that the link is clicked, it can take from 30 second to 3 minutes to load the askjoker.php page. STEP 3: Check if the XSS attack has been successful - If the attack has been successul in the php termimal should appear the flag in the format SNH{}. STEP 4: Stop the php server and ngrok, and remove the ngrok token - Press Ctrl+C in the php server terminal and ngrok terminal. - Remove your ngrok token from the PC: - From command line: ngrok config add-authtoken none ----------------------------------------------------------------------------------------- Remediation