Our Scenarios


XVWA - DOM-based Cross-Site Scripting (XSS)

This lab shows step-by-step how to identify and exploit a DOM-based Cross-Site Scripting (XSS) vulnerability on the Xtreme Vulnerable Web Application (XVWA) to gain unauthorized access to other user accounts.

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose.

Why are Cross-Site Scripting (XSS) important?

XSS is one of the most prevalent type of weaknesses found in the wild. Even in 2019, XSS is considered a major threat vector. According to HackerOne, XSS was the most common vulnerability type discovered by hackers using their platform from 2013 to 2017. The consequences of a successful XSS attack vary depending on the nature and sensitivity of the data handled by the affected web application.

What you will learn?

  • What is DOM-based XSS.
  • How to identify DOM-based XSS vulnerabilities.
  • How to exploit a DOM-based XSS vulnerability to gain unauthorized access to other user accounts.

Technical Details

  • This scenario contains one virtual machine.
  • VPN Connection Required: Optional
  • This lab can be completed by either connecting to the CR VPN or by simply utilizing the Web Proxy feature.
  • The examples demonstrated throughout this scenario are based on Linux.

Scenario Pre-requisites

In order to benefit from this scenario it is recommended you have competence in the following areas: 1. Basic understanding of the HTTP protocol 2. How web applications work behind the scenes 3. Basic understanding of JavaScript 4. How to use an HTTP Intercepting Proxy 5. Basic understanding of the Document Object Model (DOM). For more information, please refer to the following resources: - https://bitsofco.de/what-exactly-is-the-dom/ - https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model/Introduction 6. Basic Linux command line knowledge

About the Author

Marios holds a BSc Computer Science degree from Northumbria University and an MSc degree in Cyber Security from the University of York. He is one of the OWASP Cyprus Chapter Leaders and he is passionate about web application security. He likes to spend his free time mastering his backgammon skills.