Scan a DVWA application with Taipan v2.9

Damn Vulnerable Web Application is a project created with the intent to teach basic web application security. By providing an intentionally vulnerable web application, the user can tries to exploit the various vulnerabilities that are implemented.

In order to test it, is necessary to provide some custom configuration to Taipan.

Scan a DVWA application with Taipan Pro Edition

Taipan Pro Edition supports a login recoding feature that allows to easily configure an authenticated scan.

The video below shows how to use the feature to configure an authenticated scan for a DVWA application.

Scan a DVWA with Taipan Consultant Edition and Taipan Community Edition

The Taipan Consultant Edition contains the full Taipan scan engine with all its capabilities. In order to configure it, it is necessary to customize the used profile, in particular we have to specify:

  • A cookie to setup the DVWA security level to low
  • A list of pathes that must not be scanned (like password change or application reset)
  • The appropriate step to authenticate to the web application with the account: admin:password


Once that the profile is configured you can run it with the command:

taipan.exe -p dvwa http://127.0.0.1/DVWA/

You can find a pre-configured profile on the official Taipan GitHub page.

To install the profile, just download the file and copy it in the Taipan Profiles directory. Run taipan.exe --show-profiles to be sure that it was correctly loaded.

Specify a low security settings via cookie

We have to add a cookie to each requesto done, this is done by modifying the HttpRequestorSettings profile settings AdditionalCookies. Below is shown an example of cookie that must be added:

<AdditionalCookies>
  <Cookie>
	<Name>security</Name>
	<Value>low</Value>
  </Cookie>
</AdditionalCookies>

Avoid problematic pathes during scan

Some pathes may cause trobuel during the scan since they modify the internal state of the application. An example of path to avoid is the reset of the DB or password change. This can be easily achieved by configuring the Crawler to not follow that specified path. This is easily achieved with the configuration shown below:

<BlacklistedPattern>
  <Pattern>/logout.[a-z]+</Pattern>
  <Pattern>/manual/</Pattern>
  <Pattern>doc/</Pattern>
  <Pattern>setup.php</Pattern>
  <Pattern>csrf/</Pattern>
</BlacklistedPattern>

Authenticate to the web application via Web Form authentication

The final step is to allow Taipan to authenticate to the web application via a Web Form Authentication. Taipan Consultant Edition allows to specify the requests that must be done in order to authenticate. For each request is possible to specify additional parameters that must be added. For our test we suppose that the application is installed in folder DVWA (if this is not the case you have to change the path). In the authentication settings you can ignore the host, port and schema; these values will be changed during the executing with the actual one.

An importan step is that DVWA use a token for the authentication, this means that you can't hardcode this value. Thankfully Taipan Consultant Edition allows to specify a parametr as dynamic, with this setting, Taipan will request the previous page, in the configured navigation path, to get the correct parameter value. For DVWA, we need three requests, the first one is to the login page, this is done to get the session cookie and the CSRF token. The second one is the authentication POST request and the final one is the request to the index page.

The last missing information is the pattern that Taipan will use to recognize if the session is authenticated or not. For DVWA we can specify the identification of the string Logout if the session is authenticated and the string Login if the session is not authenticated. Below is shonw an example of settings to use for the authentication:

<AuthenticationInfo>
  <Type>WebForm</Type>
  <Username></Username>
  <Password></Password>
  <Token></Token>
  <Enabled>true</Enabled>
  <LoginPattern>
	<Pattern>Logout</Pattern>
  </LoginPattern>
  <LogoutPattern>
	<Pattern>Login</Pattern>
  </LogoutPattern>
  <DynamicAuthParameterPatterns />
</AuthenticationInfo>
<Journey>
  <Path>
	<Transaction>
	  <Index>0</Index>
	  <TemplateRequest>
		<Method>GET</Method>
		<Data></Data>
		<Uri>http://127.0.0.1/DVWA/login.php</Uri>
		<Headers />
	  </TemplateRequest>
	  <TemplateResponse>
		<ResponseCode>-1</ResponseCode>
		<Base64Content></Base64Content>
		<Headers />
	  </TemplateResponse>
	  <Parameters></Parameters>
	</Transaction>
	<Transaction>
	  <Index>1</Index>
	  <TemplateRequest>
		<Method>POST</Method>
		<Data>username=admin&password=password&Login=Login&user_token=8e2d01b9de1ff4023b9b0263d9c608d9</Data>
		<Uri>http://127.0.0.1/DVWA/login.php</Uri>
		<Headers>
			<Header>
				<Name>Content-Type</Name>
				<Value>application/x-www-form-urlencoded</Value>
			</Header>
		</Headers>
	  </TemplateRequest>
	  <TemplateResponse>
		<ResponseCode>-1</ResponseCode>
		<Base64Content></Base64Content>
		<Headers />
	  </TemplateResponse>
	  <Parameters>
		<Parameter>
		  <Name>username</Name>
		  <Value>admin</Value>
		  <Type>Data</Type>
		  <IsStatic>true</IsStatic>
		</Parameter>
		<Parameter>
		  <Name>password</Name>
		  <Value>password</Value>
		  <Type>Data</Type>
		  <IsStatic>true</IsStatic>
		</Parameter>
		<Parameter>
		  <Name>Login</Name>
		  <Value>Login</Value>
		  <Type>Data</Type>
		  <IsStatic>true</IsStatic>
		</Parameter>
		<Parameter>
		  <Name>user_token</Name>
		  <Value></Value>
		  <Type>Data</Type>
		  <IsStatic>false</IsStatic>
		</Parameter>
	  </Parameters>
	</Transaction>
	<Transaction>
	  <Index>2</Index>
	  <TemplateRequest>
		<Method>GET</Method>
		<Data></Data>
		<Uri>http://127.0.0.1/DVWA/index.php</Uri>
		<Headers />
	  </TemplateRequest>
	  <TemplateResponse>
		<ResponseCode>-1</ResponseCode>
		<Base64Content></Base64Content>
		<Headers />
	  </TemplateResponse>
	  <Parameters></Parameters>
	</Transaction>
  </Path>
</Journey>    


By clicking "Continue" or continuing to use our site, you acknowledge that you accept our Privacy Policy. We also use cookies to provide you with the best possible experience on our website. Feel free to check out our policies anytime for more information. Continue