In this article, I want to show you how to set up a lab to test and learn about Cross-site scripting attacks. I did a small overview of XSS in a previous post (https://steemit.com/hack/@pierlave/learn-web-hacking-2-00-xss-intro) so now let's get started!
Here is the environment I will set in place.
My host machine will be windows10
In Windows, I installed VirtualBox (https://www.virtualbox.org/) to virtualise another machine and work on it.
The machine I used in VirtualBox is Windows7.
In Windows7 I installed :
XAMPP version win32-7.2.2-0-VC15.
Mutilidae version 2.6.57.
Bursuite community edition v1.7.32.
I will show you how to install XAMPP so you can host a web platform to test XSS attacks.
First you need to go to https://www.apachefriends.org/fr/index.html and download XAMPP.
In windows, you just download and executed the file.
Once it is installed, you open the control panel and start Apache and MySQL. XAMPP is now ready!
I will show you how to install Mutilidae. Mutilidae is an OWASP project to practice web attacks. Go to https://sourceforge.net/projects/mutillidae/ and download it.
Once downloaded, take the Mutilidae folder and copie it inside htdocs folder in XAMPP folder.
Then browse to 127.0.0.1/mutilidae/index.php. Mutilidae is now ready!
To install Webgoat, it's the same procedure than Mutilidae.
Go to https://github.com/WebGoat/WebGoat and place the folder inside htdocs folder in XAMPP folder.
Browse to localhost:8080/WebGoat/login.mvc to see the login page!
Burpsuite is a proxy you can use to intercept/analyse and modify requests. To install Burp, browse to https://portswigger.net/burp and download the community edition. Run the file and follow the instructions.
Because burp is a proxy I like to configure my browser to send the request to burp. I normally use FoxyProxy addon (in firefox).
Burp is listening on localhost port 8080. I want to configure FoxyProxy to send my browser's requests to burp on this port.
Start the interceptor in Burp to see if you can intercept requests!
Our lab is now ready for learning! In the next article, I will show you some XSS attacks!
The information provided on hacking is to be used for educational purpose only. The creator is in no way responsible for any misuse of the information provided. All the information provided is meant to help the reader develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. The word "Hacking" should be regarded as "Ethical hacking". You implement the information given at your own risk