DVWA - Cross Site Scripting Attack (XSS)

# DVWA - Cross Site Scripting Attack (XSS) Today we delve into the third box in DVWA - XXS (stored) Attack. What does this mean? We could turn to google for this and say: XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. In my words, an attacker may send malicious code through varoius means over the web like cookies and session tokens (Information that is usually stored in the web-browser) to gain access to their systems. We shall then log in to DVWA with: username: admin password: password Once we are in, we shall go over and set our security level to low as shown below: ![](https://i.imgur.com/HzzR62K.png) We shall then go over to xxs (stored) and this is what we see: Two fields; name and message and two buttons; sign and clear guestbook. ![](https://i.imgur.com/wlhmO1e.png) We shall then input something on these fields and view the pagesource. ![](https://i.imgur.com/c3cqYlW.png) We can see here that the data we just keyed in: admin and let's go has been stored and can be viewwed through the pagesource which makes this site vulnerable to cross site scripting. We shall then release a xss payload **<script>alert()</script>** on the message field and see what response we get when we submit. ![](https://i.imgur.com/k6nizU9.png) Now let us sign the guestbook and this is what we see: ![](https://i.imgur.com/FFtrzyc.png) The alert pop-up comes up! This is great! We have exploited this vulnerability! To go a step further let us pass another payload and see what the page will return. This time we shall release this payload: **<script>alert(document.cookie)</script>** ![](https://i.imgur.com/hni8o5g.png) With that we get to receive the session id! This is very dangerous and we shall therefore look at some recommendations for it. ### RECOMMENDATIONS According to the OWASP top 10 web application security risks 2021, cross site scripting is now part of injection which is at number 3. This in turn means that we need increase our awareness concerning such vulnerabilities as we find ways to mitigate any possible attacks in the future. One way to prevent such vulnerabilties in the future is to have a web application firewall which can filter out any malicious activities that indicate the prescence of an attack. Another is to encode user input data and validate / sanitise it. This ensures that any data that has been input by a user is how you would like it to be.