LAB 14

Reflected Cross Site Scripting

1. Introduction
Cross-Site Scripting (XSS) is one of the most popular attacking techniques
available today and has been listed as one of the deadliest attacks against Web
applications for years. The XSS technique is based on inserting malicious scripts
into the source code of the web application. Used to execute Javascript snippets to
take advantage of the user's login session.
Reflected XSS is the most common type of attack in the XSS type. (Up to
75% of the XSS technology is based on Reflected XSS.) With Reflected XSS, the
hacker does not send malicious data to insert into the database of the website,
which sends the malicious link directly to the user, when the user clicks on the
link, the site will be loaded with the same. malicious script There are many ways to
exploit Reflected XSS, one of the most well known is the user session, which can
access the data and gain access to their rights on the website. .
2. Preparation
- Computer running windows operating system. Require to disable the firewall on
the system.
- The source code management mysql - phpmyadmin
https://www.phpmyadmin.net/downloads/
- XAMPP download by following link:
https://downloadsapachefriends.global.ssl.fastly.net/xampp-files/5.6.31/xampp-
win32-5.6.31-0-VC11-installer.exe?from_af=true
- DVWA download the following link:
http://www.dvwa.co.uk/
- The browser software chrome, firefox 10.0, 7zip, Notepadd ++.

3. Implementation steps
- Turn on xampp and go to 192.168.0.103/DVWA. Login with user: admin. Pass:
password. 192.168.0.103 here is ipv4 machine running dvwa on localhost

- After login to dvwa, we choose dvwa security

- Select low and submit

- After select XSS ( Reflected )

- Insert code: <script> alert (1) </ script> And submit

- We see a message window to show the number 1 by the code we just

submitted
 - We insert another code to get the user's cookie: <script> alert
(document.cookie) </ script>

- We will see a message window pop up with the cookie of the user as in
the picture