My First PR in an open source project, DVWA!

open source

13 September 2020

Intro :flashlight:

It’s a small start, but I’m happy to be able to make a contribution to an open source project that helped me learn things, it’s Damn Vulnerable Web App (DVWA), an intentionally vulnerably webapp to help people learn about web application security.

How the issue was discovered

I was just trying to beat all the sections in DVWA from easy to hard, when I came accross a new section, the “CSP bypass” (Content Security Policy bypass) section, it had some whitelisted websites that can be used to host malicious code.

But all the whitelisted websites do not allow malicious code to be executed by a victim’s browser anymore, pastebin, the usual go-to place to host malicious code now sends this header (the first one) in it’s responses

x-content-type-options: nosniff
Content-Type: text/plain; charset=utf-8

the x-content-type-options header determines the type of file that is being grabbed, and since Content-Type is text/plain, we lose the ability to make victim browsers vulnerable to attacks such as XSS where some string is unexpectedly interpreted as JS code.

Here’s the web console showing that the CSP successfully blocked my attack with the help of this header.

As a result the “CSP Bypass” challenge becomes unsolvable, hence my first issue.

https://github.com/digininja/DVWA/issues/382

How the issue was resolved

As I know what the problem was, solving it was pretty quick, I googled for a malicious code hoster service as an alternative to pastebin, and found hastebin.

Note that pastebin and hastebin isn’t an actual service to host malicious code, it’s just a service to host text, but can be misused for this exact use case.

Hence :sparkles: my first PR :sparkles:, I was a bit nervous so I even included a bit of screencapture :laughing:

https://github.com/digininja/DVWA/pull/383

Outro

I was hoping to show up as a contributor in DVWA’s github, but then I realized that merge commits doesn’t include the committer in the contributors page. :frowning:

But oh well, I still feel proud that I managed to find an issue in an open source project that anyone could’ve found, yet I found it first and solved it myself! :grin: