DVWA 1.9+: XSS DOM

Published in

Hacker Toolbelt

3 min readSep 17, 2019

XSS stands for Cross-Site Scripting. It’s a type of attack in which scripts are injected into trusted web sites. OWASP has a information about these attacks and its variations.

In this article we’ll see how an attacker can discover a XSS DOM vulnerability and take advantage. Let’s get down to work. Fire up DVWA and Kali, open your browser and point to your DVWA address.

Low Security

Set your security to low and then open the XSS (DOM) page:

Pressing the “Select” button and watch the URL. It took the param “default=English”. Changing the select box sets the param default. What happens when we set the default param manually to something else like “test”?

Now let’s insert our own Javascript to the param, something simple, like an alert “<script>alert(“Houston, we have a problem!!”)</script>”:

We have determine that the site is vulnerable to XSS. Let’s get the cookie with this script “<script>alert(document.cookie)</script>”:

Medium

Visually there’s no difference between the Low and the Medium security. Changing the param in the URL to test renders text in the select box, like before:

Let’s try an alert script… and nothing happens. Seems there’s some kind of filtering going on. We’re not out of options still. Open the Developer Tools and take a look at the html:

We can try several values for our default param and see how the page reacts. We’re looking to break the page’s logic and insert a crafted tag. After some trial and error I’ve managed to insert the following value “<</select><img src=’#’ onclick=alert’Gotcha!!!’>”:

Now change it to get the cookie:

High

If it’s not for tag at the bottom of the page I’d have no clue as to the security level. Ok, let’s try to hack the high security level. Start by “test”… Nothing. Seems every try gets filtered out by the server.

It’s time to try something different using the a new param/value (more about params with GET and POST methods here) “default=English&test”: