Reflected XSS

In this guide we will focus on the Reflected XSS.
You are going to use the following machines:

  • Kali

  • Metasploitable

As part of the Linux vulnerable machine, Metasploitable VM has a webserver - DVWA - Damn Vulnerable Web App. It is a PHP/MySQL web application.

To discover it, you will need to try to inject some java script to the fields on the website.

In this Reflected XSS you need to send the URL to the target:

open up the browser in your Kali and navigate to the Metasploitable IP address and click on DVWA.

Login:

Username: adminPassword: password

  • DVWA >> DVWA Security >> set the security level to low

  • XSS reflected >> write your name or what ever you like and click “Submit”

You can see that the website reply with “Hello Name”

And you will get:

reflected XSS - dvwa

Now, let’s try and inject some script in there:

<script>alert(“XSS”)</script>

check out this cheat sheet.

XSS payload

If you look at the url, you will see:

10.0.2.6/dvwa/vulnerabilities/xss_r/?name=<script>alert(“XSS”)</script>#

If you send this URL to any one, they will get your XSS alert.

In different cases, you can inject a different code and not just xss popup window.

Now if you change the security level to medium and try to run the same thing, You will see that it will not work.

If you look at the source code you will see the "<script>" word is being replaced with "<pre>"

xss dvwa - inspector

That can tell you that they activated some kind of filter, so you can use this link of OWASP Cheat sheet to look for a way to bypass it.

In order to mislead the filter I'm going to tweak the script a bit by changing some letters to capital letters like so:

<scripT>alert(“Mediuml”)</scRipt>

xss dvwa in name

Advanced reflected XSS


Let’s try and look for advanced reflected XSS.
Go back to the environment choice and this time select "Mutillidae":

Advanced reflected XSS

At the URL, you will change the anonymous name to yours or what ever you like.
Hit the Generate button.
The result is your name with a password:

As you can see, once you changed the name at the URL and hit Generate, it still get your name from the URL.
This tells you that everything that you will type in the URL will be reflected on your website.
Try to inject there.

Set your script in the URL, hit enter, and see that the script/web page is broken:

<script>alert(“XSS”)</script>

This is due to the fact that the web page has a filter.

exploited xss in address bar - dvwa

You need to investigate the source code in order to understand what filter the website uses, what caused the script to break, and how you can bypass it.

You can see that the filter added and <script>.
In this case you need to remove your "<script>" word from the payload and add in order to close the one that the website filter added.

Therefore, the new payload will look something like this:

“ ;alert(“XSS”); //

The // is to comment out everything that will be in the end of the code.

Now use this payload in the URL and hit enter:

All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information