This article is written to bring awareness among all security researchers and developers so that they may be able to learn the level of damage cause by XSS attack if the web server is suffering from cross site scripting vulnerability.

DOM Based XSS (TYPE 0)

 The DOM-Based Cross-Site Scripting is vulnerability which appears in document object model instead of html page. An attacker is not allowed to execute malicious script on the user’s website although on his local machine in URL, it is quite different from reflected and XSS because in this attack developer cannot able to find malicious script in HTML source code as well as in HTML response, it can be observed at execution time.

This can make it stealthier than other attacks and WAFs or other protections which are reading the page body does not see any malicious content.

 Let’s start!!!

Target: DVWA

 Low security

For this tutorial I had targeted DVWA and explore localhost IP in browser; now login with admin: password into web application and Set security level low.

Select the DOM cross site scripting vulnerability from given list of vulnerability. The web application allows the user to select any language form drop down list.

Now let’s understand current scenario when security is low; in this part the developer has not add any filter while framing the code for web site that could check for any malicious activity. Hence if an attacker opens the website in low security and tries for XSS attack possible he gets successful in his deed.  

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

 The JavaScript code obtains value from the URL parameter “default” and writes the value in the webpage and as the result the web page show English as output. Now attacker will inject following code into URL <script>alert(“hack”);</script> and send this link to the client through social engineering.

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English<script>alert(“hack”);</script>

 Great!! Now you can check the output in the given screenshot.

Medium Security

Let change the security level from low to medium level

In medium security the developer has tried to add a simple pattern matching to remove any references to “<script” to disable any JavaScript for location default =English, hence above JavaScript code will not run to execute malicious script in medium security level. Find a way to run JavaScript without using the script tags

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

Similarly this time attacker will try different technique to exploit the vulnerability, he can insert malicious script using JavaScript onload function ><body onload=alert(“XSS”)> and send link to victim. In this level attacker first need to break out select block to inject body onload or image tag.

 http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English>/opttion></select><body onload=alert(“XSS”)>

High Security

Now increase the security level from medium to high.

In high security the developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server.

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English

The fragment section of a URL anything after the # (hash) symbol does not get sent to the server and so cannot be blocked. The bad JavaScript being used to make the page reads the content from it when creating the page.

http://localhost:81/dvwa/vulnerabilities/xss_d/?default=English#<script>alert(“you have been hacked”);</script>

Awesome!!! We have successfully bypassed all three security level of DVWA

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here