Understanding DOM Based XSS in DVWA (Bypass All Security)

This article is written to bring awareness among all security researchers and developers so that they may be able to learn the level of damage caused by XSS attack if the web server is suffering from cross-site scripting vulnerability.

DOM Based XSS (TYPE 0)

The DOM-Based Cross-Site Scripting is vulnerability which appears in a document object model instead of the html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.

This can make it stealthier than other attacks and WAFs or other protections which are reading the page body does not see any malicious content.

 Let’s start!!!

Target: DVWA

Low security

For this tutorial I had targeted DVWA and explore localhost IP in the browser; now login with admin: password into a web application and Set security level low.

Select the DOM cross-site scripting vulnerability from a given list of vulnerability. The web application allows the user to select any language from drop-down list.

Now let’s understand the current scenario when security is low; in this part, the developer has not added any filter while framing the code for a web site that could check for any malicious activity. Hence if an attacker opens the website in low security and tries for XSS attack possible he gets successful in his deed.  

 The JavaScript code obtains value from the URL parameter “default” and writes the value in the webpage and as the result, the web page shows English as output. Now attacker will inject following code into URL <script>alert(“hack”);</script> and send this link to the client through social engineering.

 Great!! Now you can check the output in the given screenshot.

Medium Security

Let change the security level from low to medium level

In medium security, the developer has tried to add a simple pattern matching to remove any references to “<script” to disable any JavaScript for location default =English, hence above JavaScript code will not run to execute malicious script in medium security level. Find a way to run JavaScript without using the script tags

Similarly, this time attacker will try a different technique to exploit the vulnerability, he can insert malicious script using JavaScript onload function >onload=alert(“XSS”)> and send the link to victim. In this level attacker first, need to break out the select block to inject body onload or image tag.

High Security

Now increase the security level from medium to high.

In high security, the developer is now whitelisting only the allowed languages, you must find a way to run your code without it going to the server.

The fragment section of a URL anything after the # (hash) symbol does not get sent to the server and so cannot be blocked. The bad JavaScript being used to make the page reads the content from it when creating the page.

Awesome!!! We have successfully bypassed all three security level of DVWA

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *