Reflected and Persistent XSS Guide

Once again we will be using DVWA to demonstrate two basic XSS attacks. If you missed the article explaining SQL Injection, you can check it out here.

Basic XSS guide

Before we begin, it should be mentioned that many times web developers put a limit on the characters that can be inputted in an input-box (e.g. in an X login input-box the maximum characters that can be inserted are 16). In a situation like that, in order to test our scripts, no matter if the attack is a SQL injection or XSS, we need to interact with the website’s source code locally. A useful tool for that is firebug for Firefox. As you can see on the picture below, the number of characters that fit on the “Message” input-box has been changed from 50 to 500. This means that now we are able to input scripts up to 500 characters long.

The most common way to find if there is an XSS vulnerability is to try the “<script>alert(“Hello World”)</script>” alert script, on an input-box. The script creates a JavaScript alert message, provided that there is XSS vulnerability, which pop-up in your screen. Note that this won’t work in Chrome so you should use another browser.xss2

Reflected XSS

Reflected XSS vulnerability is by far the most common type. In simple words, what it does is to execute the script that we insert, locally in our browser. But how can we take advantage of this? For our first attack we’ll input in the “Message” input-box a html script “<img src= “”> which (locally) inserts the  “” image on the input-box. As you can see on the picture below, the script has been added in the URL. I could send that URL to a victim, his browser would execute the same script since it’s provided in the URL and he would get the same results. Now, what if instead of that “img src” I had used a malicious URL link? Or what if I had used a script that grabs your cookies and sends them to me? 🙂  xss3

Advantages and Disadvantages

The advantage is that the scripts are executed locally in our browsers, which means you leave no traces. Shorten link tools can be used to hide the script from URL.

The disadvantage is that as soon as the victim opens your (shorten) link the full URL (included the  script) is visible. You need some social engineering skills to fully succeed with this one.

Stored XSS

Stored or Persistent XSS attack is similar to  the Reflected, but in this case our scripts are stored in the websites database. This can occur when a vulnerable input-box inserts data in a database (e.g. in a register form). For our example we’ll use a simple script  “<iframe src=””></iframe>”  which will add a frame with the URL “”. As you can see on the picture below, the URL hasn’t change, which means that every single visitor of the legitimate page will be presented with the frame that we’ve added.

Advantages and Disadvantages

This kind of attack can be proven very devastating. It can be used for massive phishing attacks, cookie grabbing, installation of viruses, take control of the website’s visitors, even  take control over the web server itself, etc etc. An example, with a small help from  tools such as Metasploit and BeeF, stored XSS allows you to create your own army of bots, which can used for ddos attacks.

The biggest disadvantage is that you interact with the web server since you insert data, which means that you leave traces.

Once again, if you have any questions feel free to leave a comment, contact us or even contact me directly.

Tagged , , , . Bookmark the permalink.

Comments are closed.