Cross-site Scripting Lab

Size: px

Start display at page:

Download "Cross-site Scripting Lab"

Collin Hill
7 years ago
Views:

1 Cross-site Scripting Lab Cross-site Scripting (XSS) is a client-side attack that leverages the user's browser to execute malicious code. The attack boils down to injecting a malicious script into an unsuspecting user's browsing environment for execution. There are three types of XSS attacks - Reflected, Stored, and DOM-based (Document Object Model). Reflected attacks are dependent upon the web server returning unsanitized user-controlled input to the browser for display. The attack leverages this type of behavior by submitting a malicious script as a URL parameter to the server, which is executed by the client's browser upon receiving the server's response. Reflected attacks account for 75% of XSS vulnerabilities found in the wild. Stored attacks also leverage the web server's lack of output sanitation in servicing client's requests. However, the attack depends on the attacker's ability to upload a malicious script to the server for other users to consume. Once a user visits the legitimate page where the malicious script resides, the user's browser executes the script. DOM-based attacks leverage the browser's ability to manipulate the client's browsing environment via the DOM. Unlike Reflected or Stored attacks, where the server returns the malicious script to the client for execution. DOM-based attacks store the malicious script on the client's DOM, and leverage the web server's use of client-side scripting to execute the malicious code stored on the client. DOM-based attacks are beyond the scope of this lab, as it requires some web development knowledge. Objective Part 1- Experiment with Reflected and Stored XSS attacks Successfully execute a Reflected XSS script Successfully execute a Stored XSS script Part 2- Evaluate the "XSS Blog" website for XSS flaws Find at least three instances of XXS vulnerabilities Identify the type of XSS vulnerability found, must include at least one Reflected and one Stored Research Reflected and Stored XSS vulnerabilities mitigation techniques Turn In Part 2- Evaluate the "XSS Blog" website for XSS flaws Screenshot of successful execution of one Reflected script Screenshot of successful execution of one Stored script Short write up suggesting how to fix the three vulnerabilities discovered Keys to success Read the entire Lab document prior to attempting the lab Use the DVWA Virtual Machine Fully understand how to take advantage of the vulnerabilities within the DVWA environment prior to attempting to locate the flaws in the Blog site Begin your evaluation of the Blog with Reflected XSS, then move to Stored

Starting the VMs Open VM VirtualBox Manager Start the DVWA Virtual Machine Login to Ubuntu using the standard Lab credentials Open a web browser window Navigate to http://127.0.

2 Starting the VMs Open VM VirtualBox Manager Start the DVWA Virtual Machine Login to Ubuntu using the standard Lab credentials Open a web browser window Navigate to Login to DVWA User- admin Pass- password Part 1 - Experiment with Reflected and Stored XSS attacks The first step is to reset the Web App's Database to ensure we begin with a clean slate. Click on Setup -> Reset Database. Do not hesitate to reset the database anytime you would like to clean up your working environment. It's a good idea to clean up the Stored XSS section after submitting a few successful test strings to minimize the amount of scripts executing. Next we setup the running security level for the application. Click on DVWA Security -> Select "low" -> click Submit. This will lower the built-in security filters, and allow us to fully experiment with the different XSS test strings.

3 Once the web app is configured properly, we can turn out attention to testing the different XSS flaws within the application. Click on XSS Reflected -> enter test string and submit the request to begin exploring Reflected XSS flaws. A few possible test string to submit: Pop-up an alert window with a number 1 as the message - <script>alert(1)</script> Pop-up an alert window with a custom message - <script>alert("xss")</script>

4 Now experiment with the Stored XSS vulnerabilities found in this web application. Click on XSS Stored -> enter test string and submit request. A few possible test string to submit: Embed another web page with the current page - <iframe src=" Redirect the browser to a different site - <script>document.location=" One particularly troublesome script could compromise the user's session, by tricking the browser into sending an attacker the user's session cookie. This type of attack can lead to session hijacking and stealing of sensitive data, to full client or web server compromise depending on the right conditions. Part 2 - Evaluate the "XSS Blog" website for XSS flaws Our next step is to find at lease three XSS vulnerabilities within the XSS Blog website. The site can be accessed by navigating to

5 Use the knowledge gained from part one of this lab as well as the different test strings to evaluate the site for XSS vulnerabilities. Keep in mind the two types of XSS vulnerabilities we are searching for, and select the appropriate script to discover the flaws. Pay close attention to URLs and URL parameters, especially for Reflected XSS vulnerabilities. Extended Learning Tools for finding XSS vulnerabilities: DOMTracer - blueinfy.com/tools Burp Proxy - Firefox Add-ons - Firebug, WebDeveloper Toolbar More information on XSS:

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1: