DVWA - XSS reflected

According to OWASP Top 10, Cross-Site Scripting aka XSS takes the 3rd place in the more common and important web vulnerabilities list. Her primary goal is to spoof the session of another user by stealing his cookie id, usually a privileged user like an admin.  You can train XSS in Damn Vulnerable Web Application, here are some tests you can perform.


if( !array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '' ) {  
  $isempty = true;  
} else {  
  $html .= '<pre>';  
  $html .= 'Hello ' . $_GET['name'];  
  $html .= '</pre>';  

This code output the name parameter without any filter so it’s very vulnerable to XSS! If you provide a single name it works perfectly but if you insert any HTML code it will be interpreted:

DVWA XSS reflected low

That means you can also use JavaScript:

DVWA XSS reflected low


In the second level, the parameter is sanitized by removing the HTML tag <script> :

if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
  $isempty = true;
} else {
  $html .= ' <pre>';
  $html .= 'Hello ' . str_replace('<script>', '', $_GET['name']);
  $html .= '</pre>';

Is that enough? Of course not because the text you provide can have many different forms. The test is not even case insensitive. So you can simply use the same payload as previously and just add an uppercase letter or some few useless characters like white spaces:

DVWA XSS reflected medium


The final level is a good example of how to protect your site. Before echoing the name the script escapes it with htmlspecialchars(). According to PHP htmlspecialchars, this function converts all special characters to HTML entities. < will be converted to &lt;, > to &gt; and so on… So the HTML or JavaScript code won’t run.

When a XSS is found, no matter the code you submit, it will be evaluated. You can then perform a redirection:


Deface the site:

<script>document.write('H@ck3d by true l33t r0x0r')</script>

Or display cookies…


AWS takeover through SSRF in JavaScript

Here is the story of a bug I found in a private bug bounty program on [Hackerone](https://hackerone.com/){:target="_blank"}.It took me ex...… Continue reading

« Exploit Exercices, Nebula – level03

Published on January 22, 2015

Browser extensions »

Published on January 14, 2015