OWASP Exercises: Cross-Site Scripting Attack

Developed with
QA

Lab Steps

lock
Load the Virtual Machines (Kali & Metasploitable)
lock
Access the DVWA website
lock
Set DVWA security to "Low"
lock
Conducting a simple Reflected XSS attack
lock
Stealing a Session Cookie

The hands-on lab is part of these learning paths

Ready for the real environment experience?

DifficultyIntermediate
Time Limit1h
Students496
Ratings
3.7/5
starstarstarstar-halfstar-border

Description

Cross-Site Scripting Attacks, better known as XSS Attacks, are where an attacker sends malicious code through a trusted web site. The malicious code is sometimes a script (such as a JavaScript snippet) and it's sent through input fields located on the website.

In this lab, you will conduct an XSS attack through a DVWA (Damn Vulnerable Web Application) and exploit a vulnerability to hijack a user's browser session cookie.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Navigate through DVWA to perform an XSS attack to retrieve a session cookie

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to perform XSS attacks through websites
  • Security engineers who want to understand the security level of their websites to avoid XSS attacks
  • People who want to know how an XSS attack can be performed

Prerequisites

This lab has no prerequisites.

Updates

September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features

September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance

September 2nd, 2021 - Advised macOS students to download the official RDP client from the App Store

August 30th, 2021 - Include Remote Desktop connection details for those preferring to use their local Remote Desktop client to connect

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience

Environment before
PREVIEW
arrow_forward
Environment after
PREVIEW
About the Author
Students3185
Labs6
Courses1
Learning paths3

Richard Beck is Director of Cyber Security at QA. He works with customers to build effective and successful security training solutions tailored for business needs. Richard has over 15 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for an organization that underpins 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in the Defence, Financial Services, and HMG. Richard sits on a number of security advisory panels and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). Richard is also a STEM Ambassador working to engage and enthuse young people in the area of cybersecurity. Providing a unique perspective on the world of cybersecurity to teachers and encourage young people to consider a career in cybersecurity.