hands-on lab

OWASP Exercises: Cross-Site Scripting Attack

Difficulty: Intermediate
Duration: Up to 1 hour
Students: 973
Rating: 3.7/5
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.

Description

Cross-Site Scripting Attacks, better known as XSS Attacks, are where an attacker sends malicious code through a trusted web site. The malicious code is sometimes a script (such as a JavaScript snippet) and it's sent through input fields located on the website.

In this lab, you will conduct an XSS attack through a DVWA (Damn Vulnerable Web Application) and exploit a vulnerability to hijack a user's browser session cookie.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Navigate through DVWA to perform an XSS attack to retrieve a session cookie

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to perform XSS attacks through websites
  • Security engineers who want to understand the security level of their websites to avoid XSS attacks
  • People who want to know how an XSS attack can be performed

Prerequisites

This lab has no prerequisites.

Updates

September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features

September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance

September 2nd, 2021 - Advised macOS students to download the official RDP client from the App Store

August 30th, 2021 - Include Remote Desktop connection details for those preferring to use their local Remote Desktop client to connect

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience

Environment before

Environment after

Covered topics

Lab steps

Load the Virtual Machines (Kali & Metasploitable)
Access the DVWA website
Set DVWA security to "Low"
Conducting a simple Reflected XSS attack
Stealing a Session Cookie