In the last post I ‘tried’ to give an overview of how I understood Cross Site Scripting (XSS). There is still a lot more to learn, however, with the help of Damn Vulnerable Web App and being able to review the source PHP code, you can take bigger steps to understanding how to launch an attack and protect against it.
So for this post I’m going to tackle both medium and high security settings.
DVWA Security: Medium
It’s always a good idea to test the default state of any web application. The more you understand how something behaves, the more you can spot it’s weaknesses. Much like people. The more you get to know someone… you know the rest.
Anyway! In the medium setting the operation is still the same. You enter a name and it returns it. Only this time when we try our previous malicious payload the web application returns a different output.
On review of the source PHP code it seems there is some sanitation going on.
The funny thing about computers is that they will do exactly what you tell them to do. The sanitisation is looking for the script tags in lowercase letters. Browsers aren’t too fussed about upper and lower case to we might get away with using uppercase?
On execution the alert box does indeed pop up, bypassing the strict sanitation that was implemented.
In the real world it’s unlikely you’ll get to review the server side source code of a web application, however it’s worth trying this simple change out if your initial attempt is unsuccessful.
DVWA Security: High
*Spent some time looking up regular expressions
And we’re back…
From the code and from testing this out first (remember testing!) Anytime we enter the full word ‘script’ surrounded by <> it gets replaced with just ‘>’. If we put spaces inbetween the letters like this, ‘s c r i p t’ it is also replaced by ‘>’ No matter what we try, it always gets sanitised (even uppercase).
After playing around with a few things I landed on a method that doesn’t use the ‘script’ tags.
IMG SRC=’#’ onmouseover=”alert(‘xxs’)” (removing the <> so WordPress doesn’t sanitise my inputs)
This creates a HTML anchor IMG Source point and whenever the mouse is hovered over it, it pops the alert box with the word ‘XSS’ in it. A successful execution of Reflected XSS on the High security setting, despite the strict sanitation of submitted inputs.
Personally I love the ‘onmouseover’ function, and try to use it where needed.
Completing the low, medium and high security settings on DVWA does teach you a lot. You need to step beyond just googling “XSS quick wins” and running them against a given security level or sanitisation (if you even get to that part). You really should check what is happening if your script is being sanitised. How can you change it and still execute the code?
Also, what works for one web application might not work everywhere.