Skill Level Intermediate
- Let's take a look at a specific exploit. We're going to look at cross-site scripting, how we would actually carry something like this out, so we're going to go back into our lab, and we're going to be carrying out the attack from Kali Linux, and we'll be attacking the Damn Vulnerable Web Application, so we'll need Kali, and DVWA virtual machines up and running. You don't need Metasploitable running at this point, but it doesn't hurt if it's already running, so, let's take a look at how we can launch this attack. All right, so from Kali, I'm going to launch Firefox, and I will navigate to, or just type in, the URL, or the IP address, of my DVWA box, which is 10.10.1.11.
Remember, that's where we launched, where we're running that virtual machine. All right, and I'm going to log in as admin, and the password is password, and now I get to the web application, so the first thing I'm going to do is go down here to DVWA security, and I'm going to change the security to low so we can see how everything pans out and how it's actually going to be working, so make sure if you change the security level, you change it and click submit, and it'll tell you at the bottom, security level set to low, and at the bottom, left-hand corner, it shows you low as well.
All right, so now let's go to XSS reflected. Notice there's two XSS exploits. Reflected means I'm going to send in the scripting code and I want it to do something right then. Stored would mean I'm going to send it to the server, store in a database, and then fetch it later, but we're going to use the reflected attack. All right, so, if I'd say, what is your name? Type in Michael, click submit, it just comes back and says, Hello Michael, right, let's look at the source, see what it's actually doing.
I still get my hello Michael in the background, but now I have an alert box that popped up and just simply says XSS, so I can put whatever I want in there. The alert box is not the real focal point, I'm just showing you that I just actually put in client-side scripting code into a web application, so when it rendered that, when it came back to my web browser, it actually said, hey, why don't you run this alert box? So I injected some code, right, well, that's pretty cool. So, why don't we try going back to our security level and let's just make one change, we're going to make it medium at this point, all right, so now it's set to medium and I go back to reflected, and I try the same thing again.
There's my script, and when I run it this time, notice, whoops, it doesn't really work as well as it used to. That's because this web app has been developed with a little bit of security in mind, so if I go to view the source this time, notice this source is under the medium security model, and what they've done, the developers have realized, oh, wait a second, if somebody injects script into the input box, then it'll just going to run a script, so why don't I replace this? I'm going to use the string replace function, and replace script with a blank, so now, our attack doesn't work anymore.
If I just type the same thing, I'm going to get nothing else, but, notice, they just changed the, or they just replaced the string, script. What if I change this a little bit and made it a capital S, would that work? Oh, yep, I got it to work again! So, when you attack websites, sometimes you have access to the source code, sometimes you don't, and you're going to have to try different levels of attacks.
One way that I just made a quick change by just changing the capitalization of the script tag, and that worked. If you have a really intelligent application, it's probably going to do things that'll take care of the script or the casing as well, so that you wouldn't be able to do something as simple as this, so what if this didn't work? What would we do next? Well, what we could do is we could even get rid of the script, 'cause we know scripting's not going to work, so why don't we use an HTML feature? So, in HTML, I can actually inject a body feature, and say that on load, I want to do something.
So, what I've done here is I have opened a body tag and said that whenever I load the body of this HTML code, then I want HTML, or I want the web browser, to then run an alert function, so it's the same way without embedding it in script tags. Let's see if this works, there you go. So now, we've totally bypassed the script tags and we've gotten this to work. So we could go on and on for a long time making changes to work around the application, but that's the nature of penetration testing, is you try exploits, if they don't work, try to figure out why they don't work, and then you can tinker around a little bit with the language and with the scripting code in order to bypass the controls.
All you have to do is find one little vulnerability that the application developers didn't consider, when they developed their application. That's the key, it's kind of like a dance, it's kind of like playing chess in a way, but it's just, you know, try one thing, if it doesn't work, try something else. That's the nature of penetration testing. So there you go, there's your cross-site scripting vulnerability exploited.