reading-notes

Dedicated to my thoughts while learning cybersec

View the Project on GitHub jakeoverall/reading-notes

XSS with w3af, DVWA

11/22/2020

xss

The Golden Rule of Web Development Assume every user is either ignorantly or intentionally malicious

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. There are several points of failure that can cause these injection attacks to succeed. Developers must be vigilant anywhere a web application uses input from any user.

An attacker can use XSS to send a malicious script to an unsuspecting user. Because the malicious script comes from a trusted site it will be executed within the same context as the users active connection this allows the evil script to access cookies, identity tokens, or any other sensitive information retained by the browser and used with that site. Once a malicious script can be inserted the entire integrity of the once trusted site is void and usually the script execution is hidden so the unexpected victim will be non the wiser that an injection attack has occurred.

An Injection Demo

Attack Demo warning: turn volume down

To illustrate in an incredibly visible way I created a site that loads what I designed to be a strong demo to convince site owners they have an XSS issue. A link to the attack script can be found here

w3af

Web Application Attack and Audit Framework (W3AF)

http://w3af.org/

W3AF is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. Vulnerabilities are identified using plugins, which are written in Python and send specially crafted HTTP requests to forms and query string parameters to identify errors and misconfigurations that cause problems. It is important to point out that you should only use this tool against sites where vulnerability testing is explicitly allowed.

DVWA

http://www.dvwa.co.uk/

In the event that you don’t have access to your own site to test against or if you are looking for all the ways to do web application development wrong you can use the Damn Vulnerable Web App (DVWA) as your testing grounds. DVWA is written as a PHP/MySQL web application and it has been left intentionally vulnerable. The main goals of DVWA are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.