This article is written to
bring awareness among all security researchers and developers so that they may
be able to learn the level of damage cause by XSS attack if the web server is
suffering from cross site scripting vulnerability.
DOM Based XSS (TYPE 0)
The DOM-Based Cross-Site Scripting is vulnerability
which appears in document object model instead of html page. An attacker is not
allowed to execute malicious script on the user’s website although on his local
machine in URL, it is quite different from reflected and XSS because in this
attack developer cannot able to find malicious script in HTML source code as
well as in HTML response, it can be observed at execution time.
This can
make it stealthier than other attacks and WAFs or other protections which are
reading the page body does not see any malicious content.
Let’s start!!!
Target: DVWA
Low security
For this tutorial I had targeted DVWA and
explore localhost IP in browser; now login with admin: password into web application and Set security level low.
Select
the DOM cross site scripting
vulnerability from given list of vulnerability. The web application allows the
user to select any language form drop down list.
Now
let’s understand current scenario when security is low; in this part the
developer has not add any filter while framing the code for web site that could
check for any malicious activity. Hence if an attacker opens the website in low
security and tries for XSS attack possible he gets successful in his deed.
The JavaScript code obtains value from the URL parameter “default” and writes the
value in the webpage and as the result
the web page show English as output. Now attacker will inject following code
into URL and send
this link to the client through social engineering.
Great!! Now you
can check the output in the given screenshot.
Medium Security
Let change the security level from low to medium level
In medium security the
developer has tried to add a simple pattern matching to remove any references
to "
0 comments:
Post a Comment