Cybersecurity · Raspberry Pi Web App Tinkering

Raspberry Pi Web App Tinkering

Deliberately misconfigured web app on a Raspberry Pi for hands-on recon, scanning, and exploitation exercises.

View this project on GitHub

Overview

Web apps are a major attack surface. This project builds a custom site on a Raspberry Pi (Apache + WebDAV) with intentional misconfigurations, then demonstrates reconnaissance, vulnerability scanning, and analysis & reporting workflows in a safe lab.

Purpose & Objectives

Purpose

  • Technical Proficiency: Build & configure a basic app; deploy intentional misconfigurations.
  • Security Mindset: Use industry tools for active recon and scanning in a controlled environment.
  • Professional Documentation: Clear, reproducible steps mirroring real-world reporting.

Objectives

  1. Web App Configuration: Custom index page on Apache 2.4.59 (Raspberry Pi 3) with purposeful weaknesses.
  2. Active Reconnaissance: Enumerate HTTP/services using nmap, WhatWeb, and Burp Suite; run dirb, dirbuster, gobuster.
  3. Vulnerability Scanning: Identify issues with nmap and nikto.
  4. Analysis & Reporting: Summarize findings and mitigations.

Toolset

  • Active Recon: nmap, whatweb, dirb, dirbuster, gobuster, Burp Suite
  • Vulnerability Scanning: nmap, nikto
  • Analysis: Clear, professional documentation & reporting
Customized web page on Raspberry Pi
Customized web page used for testing.

Configuring the Web Application

Deliberate misconfigurations make the target interesting for tools like Nmap, Nikto, and Burp Suite. WebDAV is enabled for file uploads.

Specific Misconfigurations

  1. Weak authentication for WebDAV
  2. Directory listings enabled
  3. Hidden directories and files
  4. Exposed sensitive configuration
  5. Crafted XSS vulnerability

Weak WebDAV Authentication

Enable WebDAV with Basic Auth and intentionally weak credentials.

webdav.conf with BasicAuth
Weak credentials configured for WebDAV

Directory Listings Enabled

Apache Options Indexes exposes directory listings when no default index is present.

Indexes in apache2.conf
Indexes also enabled in webdav.conf

Hidden Directories & Files

Hidden and obvious paths are created under /var/www/html to surface during directory busting and manual browsing.

Exposed Sensitive Configuration

Example: a public config.php containing sensitive information.

Exposed config.php

Crafted XSS Vulnerability

Convert index.html to index.php and inject reflected XSS via unsanitized query parameter.

Renaming index.html to index.php
Verifying vulnerable PHP code presence
Reflected XSS code example
Restarting Apache to load PHP

Active Recon

Create a Bash helper script to run initial Nmap sweeps, then save results; run WhatWeb for tech fingerprinting.

Bash script creation 1
Bash script creation 2
Bash script creation 3
Script run 1
Script run 2
Script run 3
Script run 4
Saving scan results to file
WhatWeb fingerprinting

Directory Busting

Discover hidden/interesting paths with Dirb, Dirbuster, and Gobuster.

Dirb run
Dirbuster UI
Dirbuster results 1
Dirbuster results 2
Dirbuster results 3
Gobuster results

Active Recon with Burp Suite

Intercept a GET request, send to Repeater, and probe different HTTP methods.

Firefox proxy settings for Burp
Burp start
Burp start 2
Burp Proxy Intercept ON
Target web page
Refreshing the page through proxy
Captured GET request
Send to Repeater
GET request in Repeater
HEAD request in Repeater
OPTIONS request in Repeater
PUT request response (405)
POST/Bad Request example
Burp Suite site map

Vulnerability Scanning

Nmap --script vuln

Nmap vulnerability scan results

Nikto Scan

Nikto scan findings

Exploitation

Exploiting Reflected XSS

Exploit the vulnerable index.php by passing a crafted ?query= value.

http://192.168.1.103/index.php?query=test
XSS test 1
XSS test 2
XSS test 3
XSS test 4

Sanitize and encode user input before output. Example using htmlspecialchars():

Using htmlspecialchars() to mitigate reflected XSS

Also consider strict input validation and a defensive Content-Security-Policy.

Restricting query parameter to safe characters
Example CSP header

Exploiting WebDAV

Weak Basic Auth on /webdav can be brute forced—or discovered via scanning. Once credentials are known, upload a PHP payload and gain a shell.

Nikto exposing weak WebDAV auth
WebDAV login prompt
Entering credentials
Successful WebDAV login
Generating payload and uploading with cadaver
Payload visible on site
Metasploit reverse handler
Meterpreter session obtained

Analysis & Reporting

This lab demonstrates how misconfigurations are identified, exploited, and mitigated. It also reinforces a methodical workflow and clear documentation.

Methodology

  • Identify HTTP methods, server details, and headers via Burp + Nmap.
  • Enumerate directories with Dirb/Dirbuster/Gobuster.
  • Probe various HTTP methods to analyze behavior and exposure.
  • Scan for vulnerabilities with Nmap NSE (vuln) and Nikto.

Key Findings

  • Reflected XSS: Risk of data theft, phishing, session hijacking.
  • Weak WebDAV Auth: Enabled arbitrary file upload and remote shell.
  • Directory Listings: Exposed structure and sensitive files.
  • Missing Security Headers: Clickjacking/MIME risks.

Mitigation Recommendations

  • Sanitize/encode output (htmlspecialchars()), validate input, set CSP.
  • Harden WebDAV: strong creds, HTTPS, restrict methods & file types.
  • Disable Indexes in Apache; restrict access to sensitive files.
  • Add security headers: X-Frame-Options, Content-Security-Policy, X-Content-Type-Options.

Lessons Learned

Hands-on practice with a purposely vulnerable app sharpens recon, scanning, exploitation, and remediation skills—end-to-end.

← Back to Home