XSS (DOM)
ObjectiveRun your own JavaScript in another user's browser, use this to steal the cookie of a logged in user.
Security Level: Low
Low level will not check the requested input, before including it to be used in the output text. Spoiler: /vulnerabilities/xss_d/?default=Englishalert(1).
Let's select the first option i.e.
English
and clickSubmit
.

If we look at the URL, we can see that our input has been set as a URL parameter.
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution.
Let's change the URL to the following:
10.0.4.5/DVWA/vulnerabilities/xss_d/?default=<script>alert();</script>

Security Level: Medium
The developer has tried to add a simple pattern matching to remove any references to "<script" to disable any JavaScript. Find a way to run JavaScript without using the script tags. Spoiler: You must first break out of the select block then you can add an image with an onerror event: /vulnerabilities/xss_d/?default=English>/option>.
Let's check the source code.

So our input is being stripped of
<script
tags.Let's inspect the code in the web page as well.

We can see that we first need to escape the
<select>
tag that we are in.Once we have done that we can use the
img onerror
attribute to trigger an alert.
10.0.4.5/DVWA/vulnerabilities/xss_d/?default=</select><img src=1 onerror=alert(document.cookie)>

Security Level: High
The developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server. Spoiler: The fragment section of a URL (anything after the # symbol) does not get sent to the server and so cannot be blocked. The bad JavaScript being used to render the page reads the content from it when creating the page. /vulnerabilities/xss_d/?default=English#alert(1).
Let's check the source code first.

In this case we can use the
#
character so that our URI is fragmented and it satisfies the checks.
10.0.4.5/DVWA/vulnerabilities/xss_d/#?default=<script>alert(document.cookie);</script>

Last updated
Was this helpful?