Reflected XSS
In this guide we will focus on the Reflected XSS.
You are going to use the following machines:
Kali
Metasploitable
As part of the Linux vulnerable machine, Metasploitable VM has a webserver - DVWA - Damn Vulnerable Web App. It is a PHP/MySQL web application.
To discover it, you will need to try to inject some java script to the fields on the website.
In this Reflected XSS you need to send the URL to the target:
open up the browser in your Kali and navigate to the Metasploitable IP address and click on DVWA.
Login:
Username: adminPassword: password
DVWA >> DVWA Security >> set the security level to low
XSS reflected >> write your name or what ever you like and click “Submit”
You can see that the website reply with “Hello Name”
And you will get:
Now, let’s try and inject some script in there:
<script>alert(“XSS”)</script>
check out this cheat sheet.
If you look at the url, you will see:
10.0.2.6/dvwa/vulnerabilities/xss_r/?name=<script>alert(“XSS”)</script>#
If you send this URL to any one, they will get your XSS alert.
In different cases, you can inject a different code and not just xss popup window.
Now if you change the security level to medium and try to run the same thing, You will see that it will not work.
If you look at the source code you will see the "<script>" word is being replaced with "<pre>"
That can tell you that they activated some kind of filter, so you can use this link of OWASP Cheat sheet to look for a way to bypass it.
In order to mislead the filter I'm going to tweak the script a bit by changing some letters to capital letters like so:
<scripT>alert(“Mediuml”)</scRipt>
Advanced reflected XSS
Let’s try and look for advanced reflected XSS.
Go back to the environment choice and this time select "Mutillidae":
At the URL, you will change the anonymous name to yours or what ever you like.
Hit the Generate button.
The result is your name with a password:
As you can see, once you changed the name at the URL and hit Generate, it still get your name from the URL.
This tells you that everything that you will type in the URL will be reflected on your website.
Try to inject there.
Set your script in the URL, hit enter, and see that the script/web page is broken:
<script>alert(“XSS”)</script>
This is due to the fact that the web page has a filter.
You need to investigate the source code in order to understand what filter the website uses, what caused the script to break, and how you can bypass it.
You can see that the filter added “ and <script>.
In this case you need to remove your "<script>" word from the payload and add “ in order to close the one that the website filter added.
Therefore, the new payload will look something like this:
“ ;alert(“XSS”); //
The // is to comment out everything that will be in the end of the code.
Now use this payload in the URL and hit enter:
All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information