LAB 15

Stored Cross Site Scripting

1. Introduction
Stored XSS is a form of hacker attack that directly inserts malicious code
into the website's database. This type of attack occurs when the data sent to the
server is not thoroughly tested but is stored directly in the database. When users
visit this site, malicious scripts will be executed along with the site loading
process. For example comments form, comments on the site

2. Preparation
- Computer running windows operating system. Require to disable the firewall on
the system.
- The source code management mysql - phpmyadmin
https://www.phpmyadmin.net/downloads/
- XAMPP download by following link:
https://downloadsapachefriends.global.ssl.fastly.net/xampp-files/5.6.31/xampp-
win32-5.6.31-0-VC11-installer.exe?from_af=true
- DVWA download the following link:
http://www.dvwa.co.uk/
- The browser software chrome, firefox 10.0, 7zip, Notepadd ++.

3. Implementation steps
- Turn on xampp and go to 192.168.0.103/DVWA and login with user: admin.
pass: password. Here 192.168.0.103 is the ipv4 machine running dvwa on localhost
- After login, we choose dvwa security

- Select low and submit

 - Select XSS ( Stored )

- in the name field fill in any information.

- message box, insert the code: <script> alert (1) </ script> and submit
- We see a message window pop up 1 because of the script we insert

- Click to Home to dvwa's home page

- Click again on XSS (Stored)
- And we see that it still pop up window message window 1 because the script you
inserted has been saved

- We will insert another script to get admin's cookie.

- Any field name fill.
- Field message: <script> alert (document.cookie) </ script> And submit

- We see a message window showing the admin cookie

- Click Home to dvwa home page

- Click XSS (Stored)
- And we still see the message should contain the admin cookie as in the image
inserted by the script has been saved in the system.