XSS Exploitation in DVWA (Bypass All Security)

In the previous tutorial, I have discussed cross-site scripting attack and looked over the damage caused by it. Where I briefly explained the type of XSS vulnerability; now in this tutorial, you will learn how to bypass both type of XSS vulnerability (store and reflected) in all three security levels if the web application is suffering from it.

Reflected Cross-Site Scripting

Set security low

 Explore localhost IP in the browser; now log in with admin: password and select the reflected cross-site scripting vulnerability from a given list of vulnerabilities.

Now have a look over a small script which would generate an alert window. So in the given text field for “name” I will inject the script in the server.

<script>alert(“helllooo”)</script>

The browser will execute our script which generates an alert prompt as showing following screenshot.

In low security, it will easily bypass the injected script when an attacker injects it in the text field given for “name” which should be not left empty according to the developer.

Set Security Medium

 In medium security, if you visit to view the source of its web page then you will find that the highlighted content has added an extra layer of security to the inserted input in text field given for “name” which will check for a script tag to disable the javascript.

str_replace — Replace all occurrences of the search string with the replacement string And if an attacker tries to inject a script using script tag, the string inside script will get replaced to blank space.

It could be considered as case sensitive because the given PHP script will check for <script> which can be replaced by <SCRIPT> or using another HTML tag to bypass medium security.

There are two ways either use <SCRIPT> tag or any other HTML element, right now I had used body tag to inject the string.

<body onload=alert(“XSS”)>

Above script is successfully injected and we have bypassed the medium security. You can see from given screenshot XSS prompt get opened using body tag.

Set Security High

 In high security, the level of security increased where you can easily find preg-replace PHP function is used to perform regular expression to disable the javascript.

Preg_replace – Searches string for matches to pattern and replaces them with replacement.

Now above technique will fail as you can see it will search for each and every valid input character for the text field and replace invalid character into blank space.

To bypass high-security level use element of HTML, as you can see I have used image source tag to generate the string inside the web server.

<img src=x onError=alert(‘XSS’)>

From given below screenshot you see XSS alert prompt.

CONGRATS!!! We have successfully bypassed all three levels of security.

 Stored Cross-Site Scripting

 Set security low

Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which gets stored in the server.

<script>alert(“helllooo”)</script>

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing the following screenshot.

Since it gets permanently stored in a web application server therefore before switching to other two levels of security you need to reset the database.

Set Security Medium

 If you remember, in the previous article we have used inspect element to change text area given for message length so that we might able to inject our script inside it. Repeat the same process to change the maximum length given text field of “name”.

Change maxlength=10 into maxlength=100”; which will be sufficient area for injecting the content of the script.

Now type following content inside the text field given for “name”.

<body onload=alert(“XSS”)>

Remember do not leave message box empty.

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing the following screenshot.

Again you need to reset the database.

Set security High

 Repeat the same process to change the max length of the text field given for “name”.

Change maxlength=10 into maxlength=100”

Now type following content inside the text field given for “name”.

<img src=x onError=alert(‘xss’)>

Remember do not leave message box empty.

CONGRATS!!! We have successfully bypassed all three levels of security.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

2 Comments XSS Exploitation in DVWA (Bypass All Security)

  1. Dhruv

    in new DVWA application they are using htmlspecialchars() in high security, unable to bypass that method…hope you can help me out in this

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *