![Download the DVWA source code from GitHub:
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
Step 6: Set Permissions
Set the correct permissions for the DVWA directory:
sudo chown -R www-data:www-data /var/www/html/DVWA
sudo chmod -R 777 /var/www/html/DVWA
Step 7: Configure DVWA
Navigate to the DVWA configuration file and edit it:
cd /var/www/html/DVWA/config
sudo cp config.inc.php.dist config.inc.php
sudo nano config.inc.php
Update the following lines with your MySQL root credentials:
php
$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = 'your_mysql_root_password';
$_DVWA[ 'db_database' ] = 'dvwa';
Step 8: Set Up the Database
Log in to MySQL and create the DVWA database:
sudo mysql -u root -p
Run the following SQL commands:
Create a Database:
CREATE DATABASE dvwa;](https://image.slidesharecdn.com/unit1dvwadamnvulnerablewebapplication-250318065911-b8df7c0c/85/Unit-1-DVWA-Damn-Vulnerable-Web-Application-docx-3-320.jpg)
![3.3. British Airways XSS Attack (2018)
● Attackers used XSS vulnerabilities in BA’s website to inject scripts that stole payment
information from users.
● The compromised script intercepted credit card details, affecting 380,000 transactions.
● The attack was linked to Magecart, a group specializing in skimming card details via
injected scripts.
4. Mitigation and Prevention Strategies
4.1. Input Validation & Sanitization
● Always validate user input (e.g., allow only expected characters).
● Use whitelisting instead of blacklisting to define allowed characters.
🔹 Example (Sanitization in PHP)
$comment = htmlspecialchars($_POST["comment"], ENT_QUOTES, "UTF-8");
This converts characters like < into <, preventing script execution.
4.2. Content Security Policy (CSP)
● CSP restricts the execution of scripts from unauthorized sources.
🔹 Example (CSP Header in Apache)
Content-Security-Policy: default-src 'self'; script-src 'self'
https://trusted-cdn.com;
This prevents execution of external scripts unless they are from trusted sources.
4.3. HTTPOnly and Secure Cookies
● Cookies with sensitive data should have the HTTPOnly and Secure flags to prevent
access via JavaScript.](https://image.slidesharecdn.com/unit1dvwadamnvulnerablewebapplication-250318065911-b8df7c0c/85/Unit-1-DVWA-Damn-Vulnerable-Web-Application-docx-8-320.jpg)
![setcookie("session", "abc123", [
"httponly" => true,
"secure" => true,
"samesite" => "Strict"
]);
This prevents JavaScript from accessing the cookie.
4.4. Use Secure JavaScript APIs
● Avoid using innerHTML, document.write(), or eval().
● Instead, use safe APIs like textContent.
🔹 Example (Safe DOM Manipulation)
var userInput = document.getElementById("user-input").value;
document.getElementById("output").textContent = userInput; // Safe
This prevents script execution.
4.5. Web Application Firewall (WAF)
● A WAF can detect and block XSS attempts based on known attack patterns.
Exploiting and Preventing XSS in DVWA
(Damn Vulnerable Web Application)
1. Setting Up DVWA
Step 1: Install DVWA
If you haven’t installed DVWA yet, follow these steps:
Using XAMPP (Recommended for Beginners)
1. Download and install XAMPP from Apache Friends.
2. Download DVWA from GitHub.
3. Move the DVWA folder to C:xampphtdocs (Windows) or /var/www/html/
(Linux).](https://image.slidesharecdn.com/unit1dvwadamnvulnerablewebapplication-250318065911-b8df7c0c/85/Unit-1-DVWA-Damn-Vulnerable-Web-Application-docx-9-320.jpg)
![🔹 Fixing Stored XSS in PHP (File: vulnerabilities/xss_s/xss_s.php)
<?php
$comment = htmlspecialchars($_POST["comment"], ENT_QUOTES, "UTF-8");
?>
🔹 Fixing Reflected XSS in PHP
<?php
$query = htmlspecialchars($_GET["query"], ENT_QUOTES, "UTF-8");
?>
4.2. Implementing Content Security Policy (CSP)
Add the following CSP header in config.inc.php:
header("Content-Security-Policy: default-src 'self'; script-src 'self'
https://trusted-cdn.com;");
4.3. Using HTTPOnly and Secure Cookies
Modify the cookie settings in dvwa/includes/dvwaPage.inc.php:
setcookie("session", "secure_session", [
"httponly" => true,
"secure" => true,
"samesite" => "Strict"
]);](https://image.slidesharecdn.com/unit1dvwadamnvulnerablewebapplication-250318065911-b8df7c0c/85/Unit-1-DVWA-Damn-Vulnerable-Web-Application-docx-13-320.jpg)
Unit 1 DVWA (Damn Vulnerable Web Application).docx
- 2. Installing DVWA (Damn Vulnerable Web Application) on Kali Linux is a straightforward process. Below are the steps to install and configure DVWA on Kali Linux: Step 1: Update Kali Linux Ensure your Kali Linux system is up-to-date: sudo apt update && sudo apt upgrade -y Step 2: Install Required Dependencies Install the necessary software such as Apache, MySQL, and PHP: sudo apt install apache2 mariadb-server php php-mysqli php-gd libapache2-mod-php git unzip -y Step 3: Start and Enable Apache and MySQL Services Start the Apache and MySQL services and ensure they run at boot: sudo systemctl start apache2 sudo systemctl start mariadb //MariaDB is a popular, open-source relational database management system (RDBMS) sudo systemctl enable apache2 sudo systemctl enable mariadb Step 4: Secure the MySQL Installation Run the following command to secure your MySQL installation: sudo mysql_secure_installation Follow the prompts to: 1. Set a root password. 2. Remove anonymous users. 3. Disable remote root login. 4. Remove test databases. Step 5: Clone the DVWA Repository
- 3. Download the DVWA source code from GitHub: cd /var/www/html sudo git clone https://github.com/digininja/DVWA.git Step 6: Set Permissions Set the correct permissions for the DVWA directory: sudo chown -R www-data:www-data /var/www/html/DVWA sudo chmod -R 777 /var/www/html/DVWA Step 7: Configure DVWA Navigate to the DVWA configuration file and edit it: cd /var/www/html/DVWA/config sudo cp config.inc.php.dist config.inc.php sudo nano config.inc.php Update the following lines with your MySQL root credentials: php $_DVWA[ 'db_user' ] = 'root'; $_DVWA[ 'db_password' ] = 'your_mysql_root_password'; $_DVWA[ 'db_database' ] = 'dvwa'; Step 8: Set Up the Database Log in to MySQL and create the DVWA database: sudo mysql -u root -p Run the following SQL commands: Create a Database: CREATE DATABASE dvwa;
- 4. Create a User and Grant Privileges: CREATE USER 'user'@'localhost' IDENTIFIED BY 'pass'; GRANT ALL PRIVILEGES ON dvwa.* TO 'user'@'localhost' IDENTIFIED BY 'pass'; FLUSH PRIVILEGES; List Databases: SHOW DATABASES; Exit MariaDB: EXIT; Step 9: Restart Services Restart Apache and MySQL services to apply changes: Open the terminal cd/etc/php/7.3/apache2/ Then type ls Then gedit php.ini Change the few configuation allow_url_fopen=ON allow_url_include=ON Save file. Then Restart the Apache and MYSQL sudo systemctl restart apache2 sudo systemctl restart mariadb Step 10: Access DVWA Open a web browser and navigate to:
- 5. http://localhost/DVWA 1. Log in using the default credentials: ○ Username: admin ○ Password: password 2. Navigate to the "Setup" tab and click on "Create / Reset Database". Step 11: Adjust File Permissions for config Directory If prompted with a file permissions error, run: sudo chmod 777 /var/www/html/DVWA/hackable/uploads sudo chmod 777 /var/www/html/DVWA/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt Step 12: Start Testing Once the setup is complete, you can adjust the security levels and start practicing ethical hacking techniques. Cross-Site Scripting (XSS) 1. Introduction to XSS Cross-Site Scripting (XSS) is a type of web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. It typically exploits weaknesses in web applications where user input is improperly handled. XSS attacks can be used to steal cookies, session tokens, or sensitive user data, modify website content, or perform unauthorized actions on behalf of users. 2. Types of XSS Attacks XSS attacks are categorized into three main types: 2.1. Stored XSS (Persistent XSS) ● The malicious script is permanently stored on the target server (e.g., in a database, message board, or comment section).
- 6. ● Whenever a user visits the affected page, the script executes in their browser. 🔹 Example of Stored XSS <form action="/submit_comment" method="post"> <input type="text" name="comment"> <input type="submit" value="Post Comment"> </form> Malicious Input: <script>alert('You have been hacked!');</script> If the application does not sanitize this input before storing it in a database, every user who views the comment section will execute the script. 2.2. Reflected XSS (Non-Persistent XSS) ● The attack is reflected off a web application via an HTTP request. ● It usually happens when user input is immediately echoed on the page without proper validation. ● Attackers typically embed the malicious script in a URL or form submission and trick users into clicking it. 🔹 Example of Reflected XSS <form action="search.php" method="get"> <input type="text" name="query"> <input type="submit" value="Search"> </form> If search.php reflects the input without sanitization, an attacker can craft a URL like: php-template https://example.com/search.php?query=<script>alert('Hacked!')</script> When a victim clicks on this link, the script executes.
- 7. 2.3. DOM-Based XSS ● Occurs when a script modifies the Document Object Model (DOM) dynamically without proper sanitization. ● The attack happens entirely on the client-side, meaning the malicious script does not interact with the server. 🔹 Example of DOM-Based XSS <script> var search = new URLSearchParams(window.location.search); document.write("Search results for: " + search.get("query")); </script> An attacker can manipulate the URL: php-template https://example.com/search.html?query=<script>alert('XSS')</script> Since the JavaScript directly writes the user input into the webpage, it executes the script. 3. Case Studies of XSS Attacks 3.1. MySpace XSS Worm (Samy Worm, 2005) ● The Samy Worm was an XSS-based self-replicating worm that affected MySpace. ● The attacker, Samy Kamkar, embedded malicious JavaScript in his MySpace profile, which automatically added him as a friend to anyone who viewed it. ● Within 24 hours, over 1 million profiles were infected, leading MySpace to shut down temporarily. 3.2. Twitter XSS Attack (2010) ● A flaw in Twitter’s “onmouseover” event handler allowed attackers to execute JavaScript when users hovered over malicious tweets. Attackers posted tweets containing: <script>alert('XSS')</script> ● ● This led to automatic retweets and affected thousands of users within minutes.
- 8. 3.3. British Airways XSS Attack (2018) ● Attackers used XSS vulnerabilities in BA’s website to inject scripts that stole payment information from users. ● The compromised script intercepted credit card details, affecting 380,000 transactions. ● The attack was linked to Magecart, a group specializing in skimming card details via injected scripts. 4. Mitigation and Prevention Strategies 4.1. Input Validation & Sanitization ● Always validate user input (e.g., allow only expected characters). ● Use whitelisting instead of blacklisting to define allowed characters. 🔹 Example (Sanitization in PHP) $comment = htmlspecialchars($_POST["comment"], ENT_QUOTES, "UTF-8"); This converts characters like < into <, preventing script execution. 4.2. Content Security Policy (CSP) ● CSP restricts the execution of scripts from unauthorized sources. 🔹 Example (CSP Header in Apache) Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com; This prevents execution of external scripts unless they are from trusted sources. 4.3. HTTPOnly and Secure Cookies ● Cookies with sensitive data should have the HTTPOnly and Secure flags to prevent access via JavaScript.
- 9. setcookie("session", "abc123", [ "httponly" => true, "secure" => true, "samesite" => "Strict" ]); This prevents JavaScript from accessing the cookie. 4.4. Use Secure JavaScript APIs ● Avoid using innerHTML, document.write(), or eval(). ● Instead, use safe APIs like textContent. 🔹 Example (Safe DOM Manipulation) var userInput = document.getElementById("user-input").value; document.getElementById("output").textContent = userInput; // Safe This prevents script execution. 4.5. Web Application Firewall (WAF) ● A WAF can detect and block XSS attempts based on known attack patterns. Exploiting and Preventing XSS in DVWA (Damn Vulnerable Web Application) 1. Setting Up DVWA Step 1: Install DVWA If you haven’t installed DVWA yet, follow these steps: Using XAMPP (Recommended for Beginners) 1. Download and install XAMPP from Apache Friends. 2. Download DVWA from GitHub. 3. Move the DVWA folder to C:xampphtdocs (Windows) or /var/www/html/ (Linux).
- 10. 4. Start Apache and MySQL in the XAMPP Control Panel. Open your browser and visit: http://localhost/DVWA/ 5. Using Kali Linux (Pre-installed in some versions) Open a terminal and install necessary dependencies: sudo apt update && sudo apt install apache2 mariadb-server php php- mysqli git -y 1. Clone the DVWA repository: git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa 2. Set proper permissions: sudo chmod -R 777 /var/www/html/dvwa 3. Restart Apache and MySQL: sudo systemctl restart apache2 sudo systemctl restart mariadb 4. http://localhost/dvwa/
- 11. 5. 2. Logging into DVWA Default Credentials: pgsql Username: admin Password: password 1. 2. Navigate to DVWA Security Settings and set the security level to Low. 3. Exploiting XSS Vulnerabilities 3.1. Stored XSS Attack Target: The Guestbook page. Steps to Perform: 1. Navigate to XSS (Stored) in DVWA. In the Name or Message field, enter: <script>alert('Hacked! This is Stored XSS');</script> 2. 3. Click Sign Guestbook and refresh the page. 4. The JavaScript executes every time the page is loaded, affecting all users. Real-World Impact: ● Attackers can inject keyloggers, steal cookies, or redirect users to malicious websites. 3.2. Reflected XSS Attack Target: The Search Box. Steps to Perform:
- 12. 1. Navigate to XSS (Reflected) in DVWA. In the Search box, enter: <script>alert('Reflected XSS Attack!');</script> 2. 3. Click Submit. 4. The script executes immediately as the page reflects input without sanitization. Real-World Impact: ● Hackers can send malicious URLs to users via phishing emails. 3.3. DOM-Based XSS Attack Target: The DOM-based XSS page. Steps to Perform: 1. Navigate to XSS (DOM) in DVWA. Modify the URL in your browser: php-template http://localhost/dvwa/vulnerabilities/xss_d/? default=<script>alert('DOM XSS');</script> 2. 3. Press Enter and see the alert box. Real-World Impact: ● Attackers can manipulate web pages without server interaction, making detection harder. 4. Preventing XSS in DVWA Now, let’s secure the application by implementing proper security measures. 4.1. Input Validation & Sanitization ● Modify the DVWA source code to sanitize user inputs.
- 13. 🔹 Fixing Stored XSS in PHP (File: vulnerabilities/xss_s/xss_s.php) <?php $comment = htmlspecialchars($_POST["comment"], ENT_QUOTES, "UTF-8"); ?> 🔹 Fixing Reflected XSS in PHP <?php $query = htmlspecialchars($_GET["query"], ENT_QUOTES, "UTF-8"); ?> 4.2. Implementing Content Security Policy (CSP) Add the following CSP header in config.inc.php: header("Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com;"); 4.3. Using HTTPOnly and Secure Cookies Modify the cookie settings in dvwa/includes/dvwaPage.inc.php: setcookie("session", "secure_session", [ "httponly" => true, "secure" => true, "samesite" => "Strict" ]);