Cross-Site Scripting Attacks, better known as XSS Attacks, are where an attacker sends malicious code through a trusted web site. The malicious code is sometimes a script (such as a JavaScript snippet) and it's sent through input fields located on the website.

In this lab, you will conduct an XSS attack through a DVWA (Damn Vulnerable Web Application) and exploit a vulnerability to hijack a user's browser session cookie.

Learning Objectives

Upon completion of this lab, you will be able to:

• Navigate through DVWA to perform an XSS attack to retrieve a session cookie

Intended Audience

This lab is intended for:

• Individuals who want to learn how to perform XSS attacks through websites
• Security engineers who want to understand the security level of their websites to avoid XSS attacks
• People who want to know how an XSS attack can be performed

Prerequisites

This lab has no prerequisites.

Updates

September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features

September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance

September 2nd, 2021 - Advised macOS students to download the official RDP client from the App Store

August 30th, 2021 - Include Remote Desktop connection details for those preferring to use their local Remote Desktop client to connect

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience