Reflected XSS Exploitation in DVWA : A Beginners' Guide

Welcome back to D Guides.I am Sadeepa Gayashan and I am the newly joined contributor of D Guides.I will share my knowledge on cyber security through Cyber Guides of this blog.Today I am going to share with you how steal session cookies.Most web applications maintain a user session to identify the user across multiple HTTP requests. Sessions are identified by session cookie.After a successful login server will send you a session cookie by the Set-Cookie  header.We can steal the session cookie by calling document.cookie.

For demo purposes, we will use the DVWA Application.

First, we need to run DVWA as a server in localhost or in VirtualBox in our web browser.Now login with Username: admin, Password: password. this is the interface of the web application.Once logged in, we want to navigate to the DVWA Security tab, select the security level in the drop-down box, and hit Submit



























1. Set security low

Then we need to find out is there any vulnerabilities in this application in low-level security.Now I am going to enter a small script which would generate an alert window.
 <script>alert(1234)</script>
Then the web browser executes our script and generate an alert window as below.


So, if we inject the following script, it will show the current cookie value in an alert box.             
<script>alert(document.cookie)</script>



2. Set security medium 

In medium security level, we are going to use the same code that we used in the previous one.
 <script>alert(1234)</script> 


When we execute this, <script> tag is not present in the result. So, when we look into the source code it looks like this 


str_replace( ‘<script>’ , ‘’ ) → replacing <script> tag with blank space.
So, let try in some advanced
  • Uppercase → <SCRIPT>alert(1234)</SCRIPT> 
  • Mixed → <ScRIpT>alert(1234)</sCRIpT>


It works and the filter failed to catch the <script> tag because it was indifference order (uppercase or mixed).
So, if we inject the following script, it will show the current cookie value in an alert box. <SCRIPT>alert(document.cookie)</ SCRIPT > 
  or
<ScRIpT>alert(document.cookie)</ sCrIPt >


3. Set security high 

In high security level we are going to use same code that we used in medium level. <SCRIPT>alert(1234)</ SCRIPT >
 or
 <ScRIpT>alert(1234)</ sCrIPt >



It doesn’t work for this time. So, let's look into the source code


preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i' , '' ) → Use regular expression to detect the <script> tag and replace them with blank space.
So, let try in some advanced methods.
Use IMG tag code instead script tag code,  
<IMG SRC=/ onerror=alert(1234)></img>

You can see it has worked. So, if we inject the following script, it will show the current cookie value in an alert box.
<IMG SRC=/ onerror=alert(document.cookie)></img>


I think it is time to wrap up.Otherwise the post will be too lengthy : ) .By next post we will discuss about Stored Method which is the next part of this post.Be safe and show your support by sharing this among your colleagues.


Comments

Popular posts from this blog

Useful Tools For React Developers

Huawei Nova 2i

Best Tech Gadgets To Gift For Christmas 2017