DVWA: XSS

From OnnoWiki

Revision as of 08:53, 28 May 2017 by Onnowpurbo (talk | contribs) (→‎XSS Stored Basic Exploit Test)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

sumber: http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Tujuan

Test a basic cross site scripting (XSS) attack
Test an iframe cross site scripting (XSS) attack
Test a cookie cross site scripting (XSS) attack
Create a php/meterpreter/reverse_tcp payload
Start the php/meterpreter/reverse_tcp listener
Upload the PHP payload to the DVWA Upload screen
Test a PHP Payload cross site scripting (XSS) attack

Di sisi DVWA

Cek IP

ifconfig

Fix Stored Cross Site Scripting (XSS) Comment Box

Edit index.php

cd /var/www/html/DVWA-1.9/vulnerabilities/xss_s/
vi index.php

Search dengan keyword mtxMessage Ubah maxlength=50

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"50\"></textarea>

menjadi maxlength=250

<textarea name=\"mtxMessage\" cols=\"50\" rows=\"3\" maxlength=\"250\"></textarea>

Di sisi Kali Linux

Cek IP Kali Linux

ifconfig -a

Enable Javascript di Browser

Buka Firefox
Preferences > Content > Uncheck - Block pop-up windows

Masuk ke DVWA

Login
DVWA Security > Low

XSS Stored Basic Exploit Test

Klik > XSS (Stored)
Pada Name isi "Test 1"
Pada Message isi "<script>alert("This is a XSS Exploit Test")</script>"
Klik > Sign Guestbook

XSS Stored IFRAME Exploit Test

Reset Database DVWA, supaya XSS yang pernah dilakukan tidak muncul lagi.
Klik > XSS (Stored)
Pada Nama isi "Test 2"
Pada Message isi "<iframe src="http://www.cnn.com"></iframe>"
Klik > Sign Guestbook

Referensi

http://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/lesson9/index.html

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=DVWA:_XSS&oldid=48198"