Assignment No : 3

SQL Injection & XSS Attacks

Configuration :
 Kali Linux from https://www.osboxes.org/kali-
linux/#kali-linux-2017-03-vmware installed on
Virtual Box
 Followed https://www.YouTube.com/watch?
v=SpCdF1n48sk to install and configure DVWA

Surbhi Vasudeva
Akshay Bhope
Set DVWA’s script security to “Low” and perform the following exploits:

• Perform a SQL injection attack and retrieve the list of users in the user database
• Perform a reflected XSS attack (payload is your choice; I’d recommend just popping up a
JavaScript alert)

Submit answers to the following questions before the due date:

Describe the SQLi attack you used, how did you cause the user table to be dumped? What
was the input string you used?

SQL Injection is a web security vulnerability where attackers could interfere with the queries
sent to the database from the user interface. Using this vulnerability, attackers could retrieve that
they are not intended to see. In certain cases, attackers could even modify, delete or make
permanent changes.

Click on SQL Injection on the left and then enter the user id as%' or '0'='0.

As the SQL query could be SELECT first_name, last_name FROM users WHERE user_id =
‘’; on supplying input string as %' or '0'='0, the SQL statement becomes SELECT first_name,
last_name FROM users WHERE user_id = '%' or '0'='0';
So, it will return all the first name and last name values which are false and true. % would not be
equal to anything and will return false. On the other hand, 0=0 is always true.

Reference :
1. https://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVWAv107/le
sson6/index.html
2. https://sechow.com/bricks/docs/login-1.html

If you switch the security level in DVWA to “Medium”, does the SQLi attack still work?
No, we were not able to perform the attack as on changing the DVWA security level to medium,
it just offered a dropdown to select the user by id ranging 1-5, on selecting a particular number,
we were able to see the first name and last name.
However, were able to get the user details one by one, if not at once.
Describe the reflected XSS attack you used; how did it work?

We set the dvwa security to low, then launched XSS Reflected.

On simply writing the text, the application will display it as below :

Instead of normal text, when we added <script>alert(“This is an XSS Attack”)</script>. We

were able to see the alert as below. This was not at all intention of the web developer so attacker
can simply exploit this vulnerability.
Reflected XSS emerges when an application gets information in an HTTP prompt and
incorporates that information inside the prompt reaction in a hazardous way. In this case, the
attacker's payload must be a portion of the request that's sent to the internet server. It is reflected
so that the HTTP reaction incorporates the payload from the HTTP prompts. It is a non-diligent
sort of assault and not forever stored. By entering ", the dialogue box pops up. The assailant can
set any javascript alert, which can be shown to casualty. The payload is sent to the internet
application and reflected within the web server's reaction and executed client-side by the
casualties web browser.

References :

1. https://medium.com/@Tanmay_Bhattacharjee/cross-site-scripting-xss-dvwa-damn-
vulnerable-web-applications-36808bff37b3

If you switch the security level in DVWA to “Medium”, does the XSS attack still work?

On setting the security level in DVWA to “Medium”, the XSS attack did not work for us.
It simply displayed the alert statement.

*****************