Setup pentesting lab for xss vulnerabilities on Kali linux.
Websites have become a common target for attackers. The attackers most likely containing personal identifying information to obtain access to confidential information is relatively simple to take advantage of the weaknesses.
So, if you are new to Hacking and Pentesting and you want to practice your skills, you might have one or most of these issues:
today i will explain how to setup pentest lab for exploit xss vulnerabilities.
What will you need:
- A laptop running kali linux
- Virtualbox or Vmware(you can download which you like)
- A Vulnerable web app(http://www.dvwa.co.uk/)
So lets start!!!
- fire up kali linux,
- install and Configure Virtual box on kali linux describe here
- setup xampp on windows running on virtualbox.
- Setup DVWA on kali linux, tutorial is here
if you all setup these things then move on next step:
this tutorial on stored xss vulnerabilities, lets hook victim browser with beef.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
open terminal start apache:
“service apache2 start”
start mysql server:
“service mysql start”
start up beef
copy hooks.js link location
Go to 127.0.0.1/DVWA
setup DVWA securities as low.
go to stored xss and inject your malicious script here:(hook.js)
now every your who visit on 127.0.0.1/Dvwa and click on stored xss, beef hook their browser.
to do so:
open virtual box start xampp
start apache and mysql
click on stored xss
you will see that beef showing a online browser running on winddows
thats your victim browser, you SURMOUNT this browser, now you have many option to do:
- inject a fake page on victim browser
- Session hijecking
- View visited history
- and many more
Video tutorial is here .