1. Reflected XSS :
Security level : low
There is not any kind of filter implemented in php code. The user input will printed on the page as it is. So the payload is :
<script>alert(1)</script>
Click on the submit button and the payload will be executed.
Security level : medium
The Web app will remove the <script> tag from the user supplied data. to bypass that <script> filter just put use the <scr<script>ipt>, so the filter will remove the <script> part in the middle and we wil get only <script>.
Payload :
<scr<script>ipt>alert(1)</script>Security level : high
The code will filter the < sign and script or SCRIPT . So we can bypass it by using the Html events payload.
Payload :
<body onload=alert(1)>Security level : impossible
There are several security implementation. For example ANTI-CSRF check and the output is parsed with the htmlspecialchars() function. So currently i am not able to bypass it.
2. Stored XSS :
Security level : low
There is not any kind of input filter applied in the message area, so we can simply put our payload into message area.
Payload :
<script>alert(1)</script>
Now click on the "Sign Guestbook" button, then the payload will be stored on the page and whenever you load the page, payload will be executed.
Note : To clear that stored payload click on the "Clear Guestbook" button on the page.
Security level : medium
At here the message field will parsed with the htmlspecialchars() function, but the name field will just filter the <script> tag. so we can easily bypass it with below payload :
payload :
<scr<script>ipt>alert(1)</script>
and at inspector tab maxlength attribute
and change it from 10 to 100.
Security level : high
At here the message field will parsed with the htmlspecialchars() function, and in name field preg_replace() function will used to replce regular expression (which is the word "script" and ) with blank space.
So to bypass this we can use html events for example : <body onload=alert(1)> in name field, but first change the maximum character limit in name field as we above did and then put the payload on the name field and click "Sign Guestbook" button.
Payload :
<body onload=alert(1)>Security level : impossible
There are several security implementation. For example ANTI-CSRF check and the output is parsed with the htmlspecialchars() function. So currently i am not able to bypass it.
3. DOM Based XSS :
Security level : low
There is not any kind of filter or paser used for given data, so we can use simple payload for xss :
Payload :
<script>alert(1)</script>http://192.168.56.102/dvwa/vulnerabilities/xss_d/?default=<script>alert(1)</script>Security level : medium
The code blocks the <script> tag, as we can see in the page source code :
So we can use the below code which first close the
Payload :
></option></select><body onload=alert(1)>http://192.168.56.102/dvwa/vulnerabilities/xss_d/?default=></option></select><body onload=alert(1)>Security level : high
Payload :
English#<script>alert(1)</script>http://192.168.56.102/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(1)</script>
then change the language on the browser and click on "Select" button, then the payload will be executed.
Conclusion :
In this post we saw the XSS vulnerabilities example given in the DVWA wab app. For more information about Web Security and Web Pentesting, please visit the below link :
http://www.sec-art.net/p/web-security.html
And For installation Process of DVWA in windows with XAMPP : Click here