DVWA icon indicating copy to clipboard operation
DVWA copied to clipboard

Published 20 hours ago verified publisher icon digininja

API hacking lab #1 (Low), missing API path

Open Crypto-Cat opened this issue 9 months ago • 9 comments
trafficstars

Are the new API labs working as intended? The low difficulty suggests changing the API call /vulnerabilities/api/v2/user/ to /vulnerabilities/api/v1/user/ but both of these URLs are 404 and looking in the source code, there doesn't seem to be any files corresponding to v1 or v2:

ls /var/www/html/DVWA/vulnerabilities/api/
bootstrap.php  composer.lock    help       openapi.yml  README.md  src
composer.json  gen_openapi.php  index.php  public       source

Crypto-Cat avatar Feb 02 '25 14:02 Crypto-Cat

They should be working. You won't see the files as I'm using rewrite rules to map requests into other bits of code.

digininja avatar Feb 02 '25 14:02 digininja

Just to confirm, I should be able to access http://localhost/vulnerabilities/api/v2/user/ or http://localhost/vulnerabilities/api/v1/user/ in the browser by default?

Also, I think when browsing to http://localhost/DVWA/vulnerabilities/api/ the console shouldn't have the 404 Not Found error by default (I'm expecting some data, but just different data to v1). I tried to delete the whole DVWA folder and run a fresh installation but seems to be same 😕

Crypto-Cat avatar Feb 02 '25 14:02 Crypto-Cat

Just realised, mod_rewrite won't be enabled by default. something like a2enmod rewrite will do it.

I'll update the docs and add a check for it later.

digininja avatar Feb 02 '25 15:02 digininja

I also realised the JS calls http://localhost/vulnerabilities/api/v2/user/ but my installation (using install script from repo) has this file at http://localhost/DVWA/vulnerabilities/api/v2/user/

Crypto-Cat avatar Feb 02 '25 16:02 Crypto-Cat

The problem with lone development. It is hardcoded to my paths and I forgot mod_rewrite isn't enabled by default.

I've got fixes, I'll get the wired in and pushed for you to test.

digininja avatar Feb 03 '25 08:02 digininja

I've just committed a load of stuff. The paths should now be relative not fixed and you'll get an error if mod_rewrite is not enabled which will point you at the README which tells you how to enable it.

The setup page also now checks for mod_rewrite.

It all needs tidying up, but it should at least work.

digininja avatar Feb 03 '25 09:02 digininja

Hmmm so I did a fresh install again (mod_rewrite is enabled), using the Install-DVWA.sh script but the problem remains for me.

I also tried to launch with the docker-compose option and this time the API call succeeds but doesn't retrieve the expected data.

Warning: require(vendor/autoload.php): Failed to open stream: No such file or directory in /var/www/html/vulnerabilities/api/bootstrap.php on line 2

Fatal error: Uncaught Error: Failed opening required 'vendor/autoload.php' (include_path='.:/usr/local/lib/php') in /var/www/html/vulnerabilities/api/bootstrap.php:2 Stack trace: #0 /var/www/html/vulnerabilities/api/public/index.php(3): require() #1 {main} thrown in /var/www/html/vulnerabilities/api/bootstrap.php on line 2

Crypto-Cat avatar Feb 03 '25 09:02 Crypto-Cat

Ye, I just found that one. It is more stuff I've got installed without realising it.

Go into the api directory and try following these instructions.

https://github.com/digininja/DVWA/tree/master/vulnerabilities/api

I need to work out how much of this should be committed for it to just work, but how much needs to be machine dependent.

digininja avatar Feb 03 '25 10:02 digininja

I think I might be there with it. The Docker image is now working correctly and I've put checks in to both the setup script and the API pages to warn if mod_rewrite is not installed and if you've not installed the vendor files.

Hopefully there is enough info and checks for you to get it working now.

digininja avatar Feb 03 '25 11:02 digininja

I think it is all working now

digininja avatar Jul 01 '25 13:07 digininja