Tuesday, 7 February 2017

Cross Site Scripting (XSS)-5 (medium secured DVWA)

Steps and Instructions -

Welcome guys to another tutorial on XSS (Cross Site Scripting)

In this tutorial we will learn how to hack medium secured websites and bypass some filters.

Requirements -

* Kali Linux or any XSS supporting browser.

* DVWA or any medium secured target webiste.

Some definitions -

XSS - Inserting malicious codes inside a website for testing its security.

DVWA - A website to test security. Just like a target website.

In previous tutorials we had done XSS on low secured DVWA. This time we will go for a medium level.

If you have missed my previous XSS tutorials.

Check them out here -

Steps -

When were at the low level security DVWA the source code of reflected XSS looked something like this -

(you can view the source code by clicking on the "view source code" button at the bottom right of DVWA "XSS reflected" tab)

Now when we look at the source code we don't see any type of security or filter in it. That makes it so vulnerable to XSS.

And even at stored XSS. The code looks the same -

Went to stored XSS tab and viewed the source

When I set the security to medium, things changed.

(To set the security to medium, go to-DVWA security setting in the menu)

The medium level reflected XSS code looks like this -

Here it says that - replace any string which is "<script>"

In previous tutorials we had used a Java malicious code which was -


But now we cant use this script for DVWA medium security, because it will replace the <script> 

And our XSS wont work.

By the way these scripts are also called as Payloads.

In order to bypass this type of filter. We will use another payload.

We can use Java scripts inside of another tag besides <script> tag.

We will use IMAGE tag. An image tag is also called SVG.

An image tag payload will be like this -

<svg onload = "alert()>"

So we can use this payload to get reflected XSS on DVWA medium. Lets do it

I will use a payload to find out the cookie

<svg onload = "alert(document.cookie)">

We got the XSS.

Now we will move to stored XSS and try to XSS the guest book sigh in page.

First we will view the source code

As we can see that in the comment box we have a filter called "htmlspecialchars"

What this filter does is it replaces every special character such as < or > with alphabetical data and then send it to the Database.

So now even our new payload wont work. Because it has a lot of characters inside it.

<svg onload = "alert (document.cookie)">

There is a bypass to this filter, but that we will cover in the next high level DVWA tutorial.

But for now we can concentrate on the name field.

If the comment field is protected, why not go for name field ?

In the above image it says that the only filter for name field is, do not allow strings with <script>.

So we can use our image payload for XSS. We will insert our code inside the name field.

But wait. When we enter our payload, the name field will only take 10 numbers of characters. Not more then 10.
If you have watched my previous tutorials on XSS. You would know what to do.

Just right click on the name field and inspect elements

After you will get some codes

Focus on the code where it says "maxlength=10"

Just change the length to 100.

Now you will be able to input 100 characters in the name field.

Lets to an XSS now on the name field.

This time we will use another payload for stored XSS.

No special reasons. It is just another payload with IMAGE tag.

<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Enter it

You can enter a comment which can be anything and then hit sign guestbook.

You get XSS.

If you have missed my previous XSS tutorials.

Check them out here -

Or my other tutorials -

No comments:

Post a Comment