Posted in Penetration Testing, web app testing

XSS (Reflected) DVWA Med/High

In the last post I ‘tried’ to give an overview of how I understood Cross Site Scripting (XSS). There is still a lot more to learn, however, with the help of Damn Vulnerable Web App and being able to review the source PHP code, you can take bigger steps to understanding how to launch an attack and protect against it.

So for this post I’m going to tackle both medium and high security settings.

DVWA Security: Medium

Figure 1 – Default operation of the Web app

It’s always a good idea to test the default state of any web application. The more you understand how something behaves, the more you can spot it’s weaknesses. Much like people. The more you get to know someone… you know the rest.

Anyway! In the medium setting the operation is still the same. You enter a name and it returns it. Only this time when we try our previous malicious payload the web application returns a different output.

Figure 2 – Web application strips out the script tags

On review of the source PHP code it seems there is some sanitation going on.

Figure 3 – PHP code removes script tags from submitted data

From the outset it looks like the web developer has prepared well for the next attack. Changing the script tags to a space will prevent the site from executing the javascript code if we use the previously successful malicious URL.

The funny thing about computers is that they will do exactly what you tell them to do. The sanitisation is looking for the script tags in lowercase letters. Browsers aren’t too fussed about upper and lower case to we might get away with using uppercase?

Figure 4 – Use of uppercase letters for the script tags

On execution the alert box does indeed pop up, bypassing the strict sanitation that was implemented.

Figure 5 – Successful execution of XSS on Medium security

In the real world it’s unlikely you’ll get to review the server side source code of a web application, however it’s worth trying this simple change out if your initial attempt is unsuccessful.

DVWA Security: High

The source PHP code suggests the web developer has taken extra measures to prevent us from running any script tagged malicious javascript code.

Figure 1 – Further sanitation of submitted inputs in PHP code

*Spent some time looking up regular expressions

And we’re back…

From the code and from testing this out first (remember testing!) Anytime we enter the full word ‘script’ surrounded by <> it gets replaced with just ‘>’. If we put spaces inbetween the letters like this, ‘s c r i p t’ it is also replaced by ‘>’ No matter what  we try, it always gets sanitised (even uppercase).

After playing around with a few things I landed on a method that doesn’t use the ‘script’ tags.

IMG SRC=’#’ onmouseover=”alert(‘xxs’)” (removing the <> so WordPress doesn’t sanitise my inputs)

Figure 2 – Our broken IMG tag that is likely to force the user to try and click on.

This creates a HTML anchor IMG Source point and whenever the mouse is hovered over it, it pops the alert box with the word ‘XSS’ in it. A successful execution of Reflected XSS on the High security setting, despite the strict sanitation of submitted inputs.

Personally I love the ‘onmouseover’ function, and try to use it where needed.

Figure 3 – Successful XSS execution using ‘onmouseover’ 

Completing the low, medium and high security settings on DVWA does teach you a lot. You need to step beyond just googling “XSS quick wins” and running them against a given security level or sanitisation (if you even get to that part). You really should check what is happening if your script is being sanitised. How can you change it and still execute the code?

Also, what works for one web application might not work everywhere.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s