Reflected XSS Exploitation in DVWA : A Beginners' Guide
Welcome back to D Guides.I am Sadeepa Gayashan and I am the newly joined contributor of D Guides.I will share my knowledge on cyber security through Cyber Guides of this blog.Today I am going to share with you how steal session cookies.Most web applications maintain a user session to identify the user across multiple HTTP requests. Sessions are identified by session cookie.After a successful login server will send you a session cookie by the Set-Cookie header.We can steal the session cookie by calling document.cookie.
For demo purposes, we will use the DVWA Application.
First, we need to run DVWA as a server in localhost or in VirtualBox in our web browser.Now login with Username: admin, Password: password. this is the interface of the web application.Once logged in, we want to navigate to the DVWA Security tab, select the security level in the drop-down box, and hit Submit
1. Set security low
Then we need to find out is there any vulnerabilities in this application in low-level security.Now I am going to enter a small script which would generate an alert window.
<script>alert(1234)</script>
Then the web browser executes our script and generate an alert window as below.
<script>alert(document.cookie)</script>
2. Set security medium
In medium security level, we are going to use the same code that we used in the previous one.
<script>alert(1234)</script>
When we execute this, <script> tag is not present in the result. So, when we look into the source code it looks like this
So, let try in some advanced
- Uppercase → <SCRIPT>alert(1234)</SCRIPT>
- Mixed → <ScRIpT>alert(1234)</sCRIpT>
So, if we inject the following script, it will show the current cookie value in an alert box. <SCRIPT>alert(document.cookie)</ SCRIPT >
or
<ScRIpT>alert(document.cookie)</ sCrIPt >
3. Set security high
In high security level we are going to use same code that we used in medium level. <SCRIPT>alert(1234)</ SCRIPT >
or
<ScRIpT>alert(1234)</ sCrIPt >
It doesn’t work for this time. So, let's look into the source code
preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i' , '' ) → Use regular expression to detect the <script> tag and replace them with blank space.
So, let try in some advanced methods.
<IMG SRC=/ onerror=alert(1234)></img>
<IMG SRC=/ onerror=alert(document.cookie)></img>
I think it is time to wrap up.Otherwise the post will be too lengthy : ) .By next post we will discuss about Stored Method which is the next part of this post.Be safe and show your support by sharing this among your colleagues.
Comments
Post a Comment