Cross Site Scripting Library and Unrestricted File Upload

Background Information

  • Damn Vulnerable Web App(DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.
  • Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. The XSS payload is stored in the database. The XSS is permanent until the database is reset or the payload is manually deleted.
  • Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement.

Login and Set Security Setup

  • Set DVWA Security Level:
    1. Click on DVWA Security, in the left hand menu.
    2. Select “low” and click Submit

XSS Stored Basic Exploit Test

  • Instructions:
    1. Select “XSS Stored” from the left navigation menu.
    2. Name: Test 1
    3. Message: <script>alert(“This is a XSS Exploit Test”)</script>
    4. Click Sign Guestbookt
  • Notes:
    • Notice that the JavaScript alert we just created is now displayed.
    • Every Time a user comes to this forum, this XSS exploit will be displayed.
    • This exploit can be easily modified to capture cookie/session information for future Man-in-Middle attacks.

XSS Stored IFRAME Exploit Test

  • The First Step is to reset the DataBase
  • Instructions:
    1. Select “Setup” from the left menu navigation.
    2. Click on the Create / Reset Database Button.
    3. Select “XSS Stored” from the left navigation menu.
    4. Input Name: Test 2
    5. Input Message: <iframe src=“http://www.cnn.com”></iframe>
    6. Click Sign Guestbook
  • Notes:
    • We need to reset the database otherwise the each XSS exploit will appear for each example.
    • Notice that CNN is displayed under “Test 2's” Message. This is a powerful exploit because a user could use SET to create Malicious cloned website and place in here.

* The First Step is to reset the DataBase

  • Instructions:
    1. Select “Setup” from the left menu navigation.
    2. Click on the Create / Reset Database Button.
    3. Select “XSS Stored” from the left navigation menu.
    4. Input Name: Test 3
    5. Input Message: <script>alert(document.cookie)</script>
    6. Click Sign Guestbook
    7. Click OK
  • Notes:
    • We need to reset the database otherwise the each XSS exploit will appear for each example.
    • An attacker could easily modify this XSS script to send the cookie to a remote location instead of displaying it.

Unrestricted File Upload

  • Instructions:
    1. Select “Upload” from the left navigation menu.
    2. Click Browse
    3. Choose a PHP file from root
    4. Click Upload button
    5. Reset the Database
    6. Set security level to high
    7. click Browse and choose The same PHP file
    8. click on view source bottom of the page, on the write
    9. compare the source codes

References

Flag Counter