Learn Web Hacking 2.01 XSS Lab

in #hack6 years ago

Hi everyone,

In this article, I want to show you how to set up a lab to test and learn about Cross-site scripting attacks. I did a small overview of XSS in a previous post (https://steemit.com/hack/@pierlave/learn-web-hacking-2-00-xss-intro) so now let's get started!

Here is the environment I will set in place.

My host machine will be windows10
In Windows, I installed VirtualBox (https://www.virtualbox.org/) to virtualise another machine and work on it.

The machine I used in VirtualBox is Windows7.
In Windows7 I installed :
XAMPP version win32-7.2.2-0-VC15.
Mutilidae version 2.6.57.
WebGoat 8.
Bursuite community edition v1.7.32.

I will show you how to install XAMPP so you can host a web platform to test XSS attacks.

First you need to go to https://www.apachefriends.org/fr/index.html and download XAMPP.
In windows, you just download and executed the file.

xampp install.png

Once it is installed, you open the control panel and start Apache and MySQL. XAMPP is now ready!

xampp controlpanel.png

I will show you how to install Mutilidae. Mutilidae is an OWASP project to practice web attacks. Go to https://sourceforge.net/projects/mutillidae/ and download it.

Once downloaded, take the Mutilidae folder and copie it inside htdocs folder in XAMPP folder.


Then browse to Mutilidae is now ready!


To install Webgoat, it's the same procedure than Mutilidae.
Go to https://github.com/WebGoat/WebGoat and place the folder inside htdocs folder in XAMPP folder.


Browse to localhost:8080/WebGoat/login.mvc to see the login page!


Burpsuite is a proxy you can use to intercept/analyse and modify requests. To install Burp, browse to https://portswigger.net/burp and download the community edition. Run the file and follow the instructions.


Because burp is a proxy I like to configure my browser to send the request to burp. I normally use FoxyProxy addon (in firefox).


Burp is listening on localhost port 8080. I want to configure FoxyProxy to send my browser's requests to burp on this port.



Start the interceptor in Burp to see if you can intercept requests!


Our lab is now ready for learning! In the next article, I will show you some XSS attacks!

The information provided on hacking is to be used for educational purpose only. The creator is in no way responsible for any misuse of the information provided. All the information provided is meant to help the reader develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. The word "Hacking" should be regarded as "Ethical hacking". You implement the information given at your own risk



Congratulations @pierlave! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard!

Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Coin Marketplace

STEEM 0.26
TRX 0.10
JST 0.032
BTC 41808.92
ETH 2230.51
USDT 1.00
SBD 5.15