DVWA 1.9+: XSS Reflected

In my previous article I wrote XSS attacks in the DOM. In this article I’ll be addressing XSS Reflected attacks. For definitions, glossaries and in-depth information about XSS I suggest the OWASP articles.

Start the lab’s machines and dive in. In this article we’ll need ZAP and a browser.

Low Security

It’s the easiest level so we’l start with something simple. Input the following text into the input text field:

<script>alert(“You’ve been XSSed!”)</script>

Easy enough. Change it to obtain the cookie:

<script>alert(document.cookie)</script>

Medium Security

In the medium level the upper string doesn’t seem to work. Let’s try inserting an image element:

<img src=”#”>

There’s no filtering out on our new element. Let’s add an onclick event in that element:

<img src=”#” onclick=alert(“XSSed!”) >

Now change the event to obtain the cookie:

<img src=”#” onclick=alert(document.cookie) >

High Security

Let’s start by trying the previous string

<img src=”#” onclick=alert(document.cookie) >

It was enough to get the cookie’s value.