DVWA - XSS reflected

According to OWASP Top 10, Cross-Site Scripting aka XSS takes the 3rd place in the more common and important web vulnerabilities list. Her primary goal is to spoof the session of another user by stealing his cookie id, usually a privileged user like an admin.  You can train XSS in Damn Vulnerable Web Application, here are some tests you can perform.

Low

<?php
if( !array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == '' ) {  
  $isempty = true;  
} else {  
  $html .= '<pre>';  
  $html .= 'Hello ' . $_GET['name'];  
  $html .= '</pre>';  
}
?>

This code output the name parameter without any filter so it’s very vulnerable to XSS! If you provide a single name it works perfectly but if you insert any HTML code it will be interpreted:

DVWA XSS reflected low

That means you can also use JavaScript:

DVWA XSS reflected low

Medium

In the second level, the parameter is sanitized by removing the HTML tag <script> :

<?php
if(!array_key_exists ("name", $_GET) || $_GET['name'] == NULL || $_GET['name'] == ''){
  $isempty = true;
} else {
  $html .= ' <pre>';
  $html .= 'Hello ' . str_replace('<script>', '', $_GET['name']);
  $html .= '</pre>';
}

Is that enough? Of course not because the text you provide can have many different forms. The test is not even case insensitive. So you can simply use the same payload as previously and just add an uppercase letter or some few useless characters like white spaces:

DVWA XSS reflected medium

High

The final level is a good example of how to protect your site. Before echoing the name the script escapes it with htmlspecialchars(). According to PHP htmlspecialchars, this function converts all special characters to HTML entities. < will be converted to &lt;, > to &gt; and so on… So the HTML or JavaScript code won’t run.

When a XSS is found, no matter the code you submit, it will be evaluated. You can then perform a redirection:

<script>document.location='http://10degres.net'</script>

Deface the site:

<script>document.write('H@ck3d by true l33t r0x0r')</script>

Or display cookies…

<script>alert(document.cookie)</script>

Kick the bucket

I already wrote [a post about Amazon S3 buckets](/playing-with-s3-buckets/) but they became so popular these last weeks that many people...… Continue reading

« Exploit Exercices, Nebula – level03

Published on January 22, 2015

Browser extensions »

Published on January 14, 2015