Darkly is a web security project designed to run on an i386 virtual machine. The main goal is to explore, understand, and manually test common web vulnerabilities according to the OWASP Top 10 framework.
This project focuses on hands-on learning, where automation tools are avoided in favor of manual testing and understanding the underlying security issues.
Based on the manual security audit, the following vulnerabilities were identified, exploited, and documented. Each directory contains the specific payload, methodology, and patching instructions.
.
├── 🔓 Authentication & Session Management
│ ├── brute_force/ # Dictionary attacks and brute-forcing logins
│ └── cookie_manipulation/ # Privilege escalation via insecure cookies
│
├── 💉 Injection Flaws
│ ├── sql_injection_images/ # Union-based SQL injection on image endpoints
│ └── sql_injection_members/ # SQLi for extracting and decrypting member data
│
├── 📜 Cross-Site Scripting (XSS)
│ ├── reflected_xss_data_URI/ # Reflected XSS using base64 encoded payloads
│ └── stored_xss/ # Stored XSS exploiting feedback/comment forms
│
├── 🕵️♂️ Information Disclosure & Misconfigurations
│ ├── directory_listing/ # Exploiting open directories
│ ├── information_disclosure_robots/ # Analyzing robots.txt for hidden paths
│ └── path_traversal/ # Directory traversal to access local server files
│
├── 🎭 Spoofing & Bypasses
│ ├── header_spoofing/ # Manipulating User-Agent & Referer headers
│ └── upload_mime_spoofing/ # Bypassing file upload restrictions via MIME types
│
└── 🔀 Logic & Access Flaws
├── hidden_field_manipulation/ # Tampering with hidden HTML form fields
├── open_redirect_site/ # Exploiting unvalidated redirects (e.g., footer links)
└── parameter_tampering_vote/ # Manipulating voting parameters for logic abuse
- Manual Exploitation: No automated scanners. Every vulnerability is discovered and exploited by hand.
- Comprehensive Coverage: Testing spans across the OWASP Top 10, including injection flaws, broken access control, and misconfigurations.
- Patching & Mitigation: Beyond exploitation, the project provides safe coding solutions and architectural fixes for each vulnerability.
- Defense-in-Depth: Demonstrates the critical importance of strict input validation, context-aware output encoding, and secure session management.
- Launch the VM: Start the provided i386 virtual machine.
- Access the Application: Open a web browser and navigate to the IP address displayed on the VM's terminal.
- Review the Audits: Navigate into any of the specific vulnerability folders (e.g.,
sql_injection_members/) to follow step-by-step testing methodologies, payloads, and proofs.
By completing this project, the following milestones were achieved:
- Deepened understanding of the OWASP Top 10 web vulnerabilities.
- Developed a methodology for manually identifying and exploiting security flaws in a controlled environment.
- Strengthened knowledge of secure coding practices, server misconfigurations, and patch implementation.