DVWA: Damn Vulnerable Web Application Cross Site Scripting (XSS Reflected) (Low, Medium, High)

"Disclaimer: The information provided in this article is intended for educational and research purposes only. It is not intended to promote or encourage any illegal or unethical activities. Always act responsibly and obtain proper consent before using any tools or techniques described in this article." 

XSS is a technique in which attackers inject malicious scripts into a target website and may allow them to gain access control of the website. If a website allows users to input data like comments, username field, and email address field without controls then an attacker can insert malicious code script as well.

Types of XSS:

1. Reflected XSS
2. Stored XSS
3. Dom Base XSS

In this tutorial, we will cover, Reflected XSS(cross-site scripting) : RXSS

In RXSS, attacker data is not stored on the website. Reflected XSS only executes on the victim side.

Reflected XSS occurs when the input supplied by the user reflects back in the browser window or inside page source of the web page. 

What does it mean? 

Let us understand it with an example, suppose I have entered some value let’s say checkreflecting in the input field of the website, now open the source of the page by pressing CTRL+U and search for the string checkreflecting in the page source. If this word (checkreflecting) is reflected or present in the page source then that parameter that is accepting the input may be vulnerable to reflected XSS. Now, you can try the javascript payload <script> alert() </script> in place of checkreflecting in the same input field. If it is vulnerable it will give a popup.

Let's Start Our Tutorial Now

This tutorial demonstrates how you can complete an XSS attack on DVWA (Damn Vulnerable Web Application).

• Kali Linux

• DVWA

Lab requirements

This tutorial assumes you have set up the required lab environments to run the penetration test. If you need help setting up DVWA, Please comment I will post an article regarding it soon.

Navigate to the DVWA web page, login and set the security to ‘low’ ,and go to XSS reflected.

Now input,

<h1>Oyee Coder<h1>  

in the input section and submit it as shown below.

And the result is encouraging, there is no filter on the H1 tag:

Now, press CTRL+U to view the page source and find the input which we have entered. If Our input is present in the page source as shown below. This shows it may be vulnerable to an XSS attack.

This time we will enter the payload,

<script> alert("Hacked By Oyee Coder") </script>

in the same field and submit the request.

And it worked, we can see a popup box on the page which confirms that it is vulnerable to reflected XSS. The browser executed our code  and we successfully exploited it at low-level security.

Take a quick look at the URL, you should see something like this:

http://10.0.2.6/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3E+alert%28%22Hacked+By+Oyee+Coder%22%29+%3C%2Fscript%3E#

It's URL encoded and contains the exploit in the query string.

So, just to be clear on how it can be used for an attack; an attacker can send this URL to his victim and make his/hers browser execute that malicious code.

Let's replace 

alert("Hacked By Oyee Coder") 

function with 

alert(document.cookie) 

in the above payload to get the cookie of the logged-in user on the victim browser, as can be shown below.

Moreover, this cookie can be used to login into the same web app from another web browser which is called a Session Hijacking attack.

The tutorial for XSS Reflected on medium and high security will follow soon.

If you got stuck or have any questions, leave a comment, and I’ll do my best to get back to you.