Reflective XSS – DVWA Part 2

The assumption is that you are here because you are either trying to learn about web app pen testing or you are stuck on one of the challenges. Everyone has their own way that they like to approach web applications. This is mine. We will end up at the same place so don’t get too hung up on style, focus on content.

All of the posts here are spoilers

To setup for all of the different challenges in DVWA you need to set the security level. This is relatively simple, just click the DVWA Security button and set the level through the interface.

Set Security Level

Set Security Level

XSS Reflected – Low

I have security set to low and I have clicked on the XSS Reflected button. Nice test box huh? Well now what are you doing to do? I like to jump right in and start stuffing things in there. No foreplay or anything.

HTML Injection Test

HTML Injection Test

Why didn’t I go right for an alert(‘XSS’)? I like to see if HTML injection is possible at the same time. Feel free to skip that step and go straight to <script>alert(“XSS”)</script>. Look at that! HTML injection is possible. Let us go back and see if we can get a script to run.

HTML Injection Sucess

HTML Injection Sucess

XSS Script Success

XSS Script Success

TL;DR <script>alert(“XSS”)</script>

XSS Reflected – Medium

Set the DVWA Security to Medium and throw that script back in there.

Medium XSS Failure

Medium XSS Failure

Why didn’t that work? Time to dig into the page source. If you read the PHP by clicking on the View Source button the fumction checks for a null string. Then replaces the string <script> with ‘’ if it is found. That is super effective tools or testers that only use the exact string <script>. If you change it up a bit by adding capitalization <SCRipT> or <ScriPt> it doesn’t match and str_replace just passes it through. The PHP function is case sensitive but HTML is not.

PHP Function

PHP Function

TL;DR <SCRipt>alert(“XSS”)</scrIPT>

XSS Reflected – High

The High challenge uses the PHP function htmlspecialchars function to escape special characters. I have tried to encode the string in multiple ways and have not figured out a way to run a script. This is the correct way to handle user inputs and might be breakable but I haven’t found a way around it yet.

Leave a Reply