StackZero
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me
No Result
View All Result
StackZero
No Result
View All Result

Reflected XSS DVWA – An Exploit With Real World Consequences

September 9, 2022
in Ethical Hacking
0 0
Reflected XSS DVWA – An Exploit With Real World Consequences
0
SHARES
4k
VIEWS
Share on FacebookShare on Twitter

Reading tons of pages of Reflected XSS and how it works, could not be enough to understand deeply, so DVWA comes again to our aid.
The best way to make the concept our own is, as usual, the practical one.
In this article, we are going to explore DVWA (Damn Vulnerable Web Application), an application which was the first gym for many great hackers!

If you are not knowledgeable about the subject I suggest you look at my previous articles about XSS.

  • The terrifying world of Cross-Site Scripting (XSS) (Part 1)
  • The terrifying world of Cross-Site Scripting (XSS) (Part 2)
  • XSS in practice: how to exploit XSS in web applications
  • Reflected XSS DVWA – An Exploit With Real World Consequences
  • How to exploit a stored XSS vulnerability on DVWA
  • How to exploit DOM XSS on DVWA

Now, before starting to exploit, we need to run an instance of DVWA.

I’m quite lazy, so I’m going to opt for the TryHackMe machine as I already did in the tutorial about SQL injection.

Once everything is ready, Let’s start to exploit!

Table of Contents

Toggle
  • Step #1. Reflected XSS on DVWA with low security
  • Step #2. Reflected XSS on DVWA with medium security
  • Step #3. Reflected XSS on DVWA with high security
  • Conclusion

Step #1. Reflected XSS on DVWA with low security

Before starting I just want to remember you that the default credentials are:

  • Username: admin
  • Password: password
DVWA login page
DVWA login page

The security level is set by default as impossible, so change it to low from the settings on the left sidebar:

DVWA security

Now we are ready to hone our evil skills!
Click on XSS ( Reflected ) on the left side menu.

The goal of the exploit is to make the page execute arbitrary code, in this way the attacker would be able to steal cookies or maybe make malicious activities with browser exploitation tools like Beef.

In this tutorial, we are going just to see a proof of concept, but I will show soon, in my next articles, something cooler.

We can consider the level as passed if the website runs our code, in this case, a simple alert popup.
At this level, we can see an input text where we can insert a name.
What we can do in order to know if it’s a vulnerable field is to insert a custom HTML and see if the tags are filtered in some way.

Let’s try with this input:

<h1>StackZero</h1>

And the result is encouraging, there is no filter on the H1 tag:

H1 input result on Reflected XSS DVWA low security
H1 input result

For further confirmation by pressing CTRL+U, we can see the source code

<div class="vulnerable_code_area">
  <form name="XSS" action="#" method="GET">
    <p> What's your name? <input type="text" name="name">
      <input type="submit" value="Submit">
    </p>
  </form>
  <pre>Hello 
	<h1>StackZero</h1>
  </pre>
</div>

I just picked the code of interest and we can see that everything we wrote is reflected on the page without any elaborations.
It’s clearly a good candidate for our exploit!
This time we can try to submit this script

<script> alert("You have been hacked!"); </script>

And it worked! The browser executes our code!

Reflected XSS on DVWA low exploit result
Alert popup after submitting with low security

Take a quick look at the URL, you should see something like this:
http://10.10.151.212/vulnerabilities/xss_r/?name=%3Cscript%3E+alert%28%22You+have+been+hacked%22%29%3B+%3C%2Fscript%3E#
It’s URL encoded and contains the exploit in the query string.

So, just to be clear on how it can be used for an attack; an attacker can send this URL to his victim and make his/hers browser execute that malicious code.
The victim would be more confident because of a probably trusted domain.

Step #2. Reflected XSS on DVWA with medium security

Before proceeding with step two, go to the DVWA settings and set the security as medium

The way to solve the problem is by using input sanitization. However, sometimes, developers don’t do it as well as it has to ( maybe they write a quick custom function which doesn’t cover the more complex exploits).

In this step, we are going to see that the server just removes the tag <script> probably by using either a Regular Expression or a replace function.

Our first try can be just by inserting the same input as the previous step and seeing the result.

Test Reflected XSS DVWA medium security
Medium level first try

By looking at the HTML code with CTRL+U combination this is the section we are interested in:

<div class="vulnerable_code_area">
  <form name="XSS" action="#" method="GET">
    <p> What's your name? <input type="text" name="name">
      <input type="submit" value="Submit">
    </p>
  </form>
  <pre>Hello  alert("You have been hacked"); </script>
  </pre>
</div>

So the server removes the script open tag.
We know that the browser doesn’t care if a letter is uppercase or lowercase (Case-insensitive).
On the contrary, PHP functions are mostly case sensitive, so a nice turnaround can be to alternate randomly upper and lower case characters (hardly the developer would manage every possible combination with the str_replace function).

Let’s try with this input:

<sCRiPt> alert("You have been hacked!"); </script>

And our assumptions were correct!

Reflected XSS on DVWA medium exploit result
Alert popup after submitting with medium security

Step #3. Reflected XSS on DVWA with high security

In order to try our hand at the next step, we need to set the security level as high.

This level of DVWA provides for a slightly higher degree of security, so we need to bypass a bit more sophisticated filter.

Before writing our exploit, let’s try with the one in the previous level and look at the result.

High-level first try

This time, as we expected, it doesn’t work, but knowing the output can help us!
So let’s see the source code by pressing CTRL+U.

<div class="vulnerable_code_area">
  <form name="XSS" action="#" method="GET">
    <p> What's your name? <input type="text" name="name">
      <input type="submit" value="Submit">
    </p>
  </form>
  <pre>Hello ></pre>
</div>

It has removed the <script> tag, now we want to know if it does the same with another HTML tag, for example <h1> as we did in the first step!

DVWA high security test with H1 tag
Test H1 tag

It works! So probably the server just filters the input with a regex. What we can do to evade this filter is try to run javascript from another HTML tag like <img>.

For example, we can add an image from an inexistent URL and then launch our alert in an onerror event in this way!

<img src=X onerror="alert('you have been hacked!')">

After clicking the Submit button, the result proves we are right!

Reflected XSS on DVWA high exploit result
Alert popup after submitting with high security

Conclusion

As we have seen there are many turnarounds against XSS filters, so a filter implementation error can be very dangerous for a web application.

A more secure way to avoid the XSS threats is by using the function htmlspecialchars in PHP or the equivalent one in your favourite programming language.
In order to better understand the topic, I suggest you view the source code at every level (bottom-right button) and try different methods to exploit the vulnerability.

A good resource to have an idea of how to bypass XSS filters comes from OWASP and is here, you can take a cue from there before writing your exploits.

I hope it was useful for you, and if you liked this content follow my work to get more!

See you soon!

Tags: application securitycross site scriptingcybersecuritydvwareflected xssvulnerable applicationweb securityxss
Previous Post

Hack With SQL Injection Attacks! DVWA high security

 Next Post

How To Perform Command Injection Attacks (DVWA) For Aspiring Hackers!
Next Post
How To Perform Command Injection Attacks (DVWA) For Aspiring Hackers!

How To Perform Command Injection Attacks (DVWA) For Aspiring Hackers!

You might also like

Cryptographic functions

Cryptographic Hash Functions in Python: Secure Your Data Easily

November 3, 2024
Malware Obfuscation Techniques: All That You Need To Know

Malware Obfuscation Techniques: All That You Need To Know

March 25, 2024
How To Do Process Enumeration: An Alternative Way

How To Do Process Enumeration: An Alternative Way

March 4, 2024
How To Do DLL Injection: An In-Depth Cybersecurity Example

How To Do DLL Injection: An In-Depth Cybersecurity Example

February 8, 2024
Process Injection By Example: The Complete Guide

Process Injection By Example: The Complete Guide

January 24, 2024
How To Build Your Own: Python String Analysis for Malware Insights

How To Build Your Own: Python String Analysis for Malware Insights

November 10, 2023

StackZero

StackZero is a specialized technical blog dedicated to the realm of cybersecurity. It primarily provides insightful articles and comprehensive tutorials designed to educate readers on developing security tools. The blog encompasses a broad spectrum of subjects, starting from the foundational principles of cryptography and extending to more sophisticated areas such as exploitation and reverse engineering. This makes StackZero an invaluable resource for both beginners and professionals in the field of cybersecurity.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c cesar cipher command injection cryptography ctf cybersecurity debugging dom-based xss dvwa ethical-hacking ethical hacking exploitation file inclusion gdb hacking injection javascript malware malware analysis malware evasion network-security pentesting lab picoctf pico ctf python reflected xss reverse engineering sql sqli sql injection static analysis stored xss substitution substitution cipher vulnerable application web application security web exploitation web security windows windows api xss
  • About Me
  • Contacts
  • HomePage
  • Opt-out preferences
  • Privacy Policy
  • Terms and Conditions

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
No Result
View All Result
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me