Reflected XSS Exploitation in DVWA : A Beginners' Guide

Welcome back to D Guides.I am Sadeepa Gayashan and I am the newly joined contributor of D Guides.I will share my knowledge on cyber security through Cyber Guides of this blog.Today I am going to share with you how steal session cookies.Most web applications maintain a user session to identify the user across multiple HTTP requests. Sessions are identified by session cookie.After a successful login server will send you a session cookie by the Set-Cookie  header.We can steal the session cookie by calling document.cookie.

For demo purposes, we will use the DVWA Application.

First, we need to run DVWA as a server in localhost or in VirtualBox in our web browser.Now login with Username: admin, Password: password. this is the interface of the web application.Once logged in, we want to navigate to the DVWA Security tab, select the security level in the drop-down box, and hit Submit



























1. Set security low

Then we need to find out is there any vulnerabilities in this application in low-level security.Now I am going to enter a small script which would generate an alert window.
 <script>alert(1234)</script>
Then the web browser executes our script and generate an alert window as below.


So, if we inject the following script, it will show the current cookie value in an alert box.             
<script>alert(document.cookie)</script>

2. Set security medium 

In medium security level, we are going to use the same code that we used in the previous one.
 <script>alert(1234)</script> 


When we execute this, <script> tag is not present in the result. So, when we look into the source code it looks like this 


str_replace( ‘<script>’ , ‘’ ) → replacing <script> tag with blank space.
So, let try in some advanced
  • Uppercase → <SCRIPT>alert(1234)</SCRIPT> 
  • Mixed → <ScRIpT>alert(1234)</sCRIpT>


It works and the filter failed to catch the <script> tag because it was indifference order (uppercase or mixed).
So, if we inject the following script, it will show the current cookie value in an alert box. <SCRIPT>alert(document.cookie)</ SCRIPT > 
  or
<ScRIpT>alert(document.cookie)</ sCrIPt >


3. Set security high 

In high security level we are going to use same code that we used in medium level. <SCRIPT>alert(1234)</ SCRIPT >
 or
 <ScRIpT>alert(1234)</ sCrIPt >



It doesn’t work for this time. So, let's look into the source code


preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i' , '' ) → Use regular expression to detect the <script> tag and replace them with blank space.
So, let try in some advanced methods.
Use IMG tag code instead script tag code,  
<IMG SRC=/ onerror=alert(1234)></img>

You can see it has worked. So, if we inject the following script, it will show the current cookie value in an alert box.
<IMG SRC=/ onerror=alert(document.cookie)></img>


I think it is time to wrap up.Otherwise the post will be too lengthy : ) .By next post we will discuss about Stored Method which is the next part of this post.Be safe and show your support by sharing this among your colleagues.


Comments

Post a Comment

Popular posts from this blog

Useful Tools For React Developers

Image
Welcome back to D Guides folks.This post is valuable for newbies for react development.I am sharing about few tools you can use when developing react applications.It is important leaning tools like these same as understanding a framework like React.These tools will help us to maintain high code quality. 1. Prettier Prettier is a tool which will format the code consistently according to the standards.First step to do is install prettier as a developer dependency.Why developer dependency is the next question hops into your mind.We don't need to have prettier as a dependency when we are deploying the application so that is why it is installed as a developer dependency.Then we need to install prettier plugin for vs code.VS Code is my first choice when doing web development.Then we are changing two things in preferences.First thing is enabling format on save.Other option we are enabling is require config.By that we ensure that prettier will run only on the projects prettier h
Read more

Deep Dive Into Azure Global Infrastructure

Image
Have you ever wonder when you deploy an app into cloud how exactly it is hosted in cloud? Or maybe is it safe to host an app in cloud and how they maintain high availability?This post will clear  all your doubts  and free your mind. What is a Datacenter? Inside of a Datacenter Azure Datacenter is the smallest node or the exact physical location where our resources reside.But datacenters are not exposed to end users.These datacenters act exactly as the on premises servers.But since these datacenters are cloud datacenters you have extra capabilities which will help you grow with the customer base (Scale Up) or vice versa (Scale Down) for a lower cost than creating and maintaining own servers. Curious about Azure Regions ? Azure has more Regions than any other cloud provider.If you want the exact numbers there are 58 global regions and a region is a set of datacenters inside a latency defined perimeter.Most of the time we deal with these region when we deploy re
Read more

Bigger Picture Of Node Event Loops

Image
Even though you are a beginner for node js you all know that Node.js is single threaded.But we use Node.js for powerful backends and we can include concurrence functionality into a Node.js application using events and call backs.In simple terms 'Event Loop' is what permits Node.js to perform non blocking I/O operations.Node.js uses event in large scale and it is the reason behind the speed when comparing to other technologies in the same stack What exactly is 'Event Loop' ? Everything happens in Node.js platform is because of events.'Event Loop' mechanism is inside the library called 'Libuv'.Since there is only one thread both userland code (code of the user) and event loop run in that same thread.Every callback is handled by the so called mechanism 'Event Loop'.Every userland code running in a Node application is a callback.Event Loop is behind the huge success of Node.js development.As I mentioned earlier every Node application i
Read more