Scribd
Upload
69 views

Assignment No: 4: Stored XSS Attack

The document describes performing a stored cross-site scripting (XSS) attack on a vulnerable web application called DVWA. The attacker is able to successfully inject JavaScript code by including it in the "Name" and "Message" fields. This code then gets displayed on the page, allowing the attacker to display alerts or iframes. When the security is increased to "Medium", the attacks no longer work. Examining the code, the high security setting sanitizes user input to remove script tags, preventing the attack.

Uploaded by

AKSHAY BHOPE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
69 views

Assignment No: 4: Stored XSS Attack

The document describes performing a stored cross-site scripting (XSS) attack on a vulnerable web application called DVWA. The attacker is able to successfully inject JavaScript code by including it in the "Name" and "Message" fields. This code then gets displayed on the page, allowing the attacker to display alerts or iframes. When the security is increased to "Medium", the attacks no longer work. Examining the code, the high security setting sanitizes user input to remove script tags, preventing the attack.

Uploaded by

AKSHAY BHOPE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Assignment No : 4

Stored XSS Attack


Configuration :
 Kali Linux from https://www.osboxes.org/kali-
linux/#kali-linux-2017-03-vmware installed on
Virtual Box
 Followed https://www.YouTube.com/watch?
v=SpCdF1n48sk to install and configure DVWA

Surbhi Vasudeva
Akshay Bhope
Set DVWA’s script security to “Low” and perform the following exploits:

• Describe the attack you used. How did it work?


Stored  XSS emerges when an application gets information from an untrusted source
and incorporates that information inside its afterward HTTP reactions in hazardous way. Within
this attack, we launched the Stored XSS vulnerability webpage from the tabs. On adding the
Name and Message, we were able to store as well as display the name and message.
Attack : To alert a message
Payload : <script>alert(“This is a stored XSS Attack”)</script>
Result : We were able to see the alert and not the message on the webpage.
Attack : To display an iframe
Payload : <iframe src=“http://www.cnn.com”></iframe>
Result : We were able to see the iframe but not the message on the webpage. However, the
contents were blocked due to Firefox’s security policy.
Attack : To display the cookie
Payload : <script>alert(document.cookie)</script>
Result : We were able to see the alert with the session cookie instead of the message.
Reference :
https://computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.h
tml

• Does your attack work in “Medium” security level?


On increasing the security to medium, we tried the attack and found that the attacks were not
successful
• Set the security mode to “Low” and examine the code that is
vulnerable, and then set the security mode to “High” and reexamine the
same code. What changed? How do the changes prevent the attack from
succeeding?
XSS code with low security :
Available at https://github.com/digininja/DVWA/blob/master/vulnerabilities/xss_s/source/low.php

XSS code with high security :


Available at https://github.com/digininja/DVWA/blob/master/vulnerabilities/xss_s/source/high.php

On comparing the two codes we found that with high security, it was sanitizing the input to
remove the “script” pattern and thus, making it unsuccessful.

Reference : http://2001594623noviani.blog.binusian.org/2018/05/27/cross-site-scripting-xss-on-
dvwa/

*****************

You might also like