first commit

dvwa/vulnerabilities/xss_r/help/help.php

@@ -0,0 +1,57 @@
+<div class="body_padded">
+	<h1>Help - Cross Site Scripting (Reflected)</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>"Cross-Site Scripting (XSS)" attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
+			XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script,
+			to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application using input from a user in the output,
+			without validating or encoding it.</p>
+
+		<p>An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted,
+			and will execute the JavaScript. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other
+			sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.</p>
+
+		<p>Because its a reflected XSS, the malicious code is not stored in the remote web application, so requires some social engineering (such as a link via email/chat).</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>One way or another, steal the cookie of a logged in user.</p>
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>Low level will not check the requested input, before including it to be used in the output text.</p>
+		<pre>Spoiler: <span class="spoiler">?name=&lt;script&gt;alert("XSS");&lt;/script&gt;</span>.</pre>
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>The developer has tried to add a simple pattern matching to remove any references to "&lt;script&gt;", to disable any JavaScript.</p>
+		<pre>Spoiler: <span class="spoiler">Its cAse sENSiTiVE</span>.</pre>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>The developer now believes they can disable all JavaScript by removing the pattern "&lt;s*c*r*i*p*t".</p>
+		<pre>Spoiler: <span class="spoiler">HTML events</span>.</pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>Using inbuilt PHP functions (such as "<?php echo dvwaExternalLinkUrlGet( 'https://secure.php.net/manual/en/function.htmlspecialchars.php', 'htmlspecialchars()' ); ?>"),
+			its possible to escape any values which would alter the behaviour of the input.</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' ); ?></p>
+</div>

dvwa/vulnerabilities/xss_r/index.php

@@ -0,0 +1,66 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: Reflected Cross Site Scripting (XSS)' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'xss_r';
+$page[ 'help_button' ]   = 'xss_r';
+$page[ 'source_button' ] = 'xss_r';
+
+dvwaDatabaseConnect();
+
+$vulnerabilityFile = '';
+switch( $_COOKIE[ 'security' ] ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/xss_r/source/{$vulnerabilityFile}";
+
+$page[ 'body' ] .= "
+<div class=\"body_padded\">
+	<h1>Vulnerability: Reflected Cross Site Scripting (XSS)</h1>
+
+	<div class=\"vulnerable_code_area\">
+		<form name=\"XSS\" action=\"#\" method=\"GET\">
+			<p>
+				What's your name?
+				<input type=\"text\" name=\"name\">
+				<input type=\"submit\" value=\"Submit\">
+			</p>\n";
+
+if( $vulnerabilityFile == 'impossible.php' )
+	$page[ 'body' ] .= "			" . tokenField();
+
+$page[ 'body' ] .= "
+		</form>
+		{$html}
+	</div>
+
+	<h2>More Information</h2>
+	<ul>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'https://en.wikipedia.org/wiki/Cross-site_scripting' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'http://www.cgisecurity.com/xss-faq.html' ) . "</li>
+		<li>" . dvwaExternalLinkUrlGet( 'http://www.scriptalert1.com/' ) . "</li>
+	</ul>
+</div>\n";
+
+dvwaHtmlEcho( $page );
+
+?>

dvwa/vulnerabilities/xss_r/source/high.php

@@ -0,0 +1,12 @@
+<?php
+
+// Is there any input?
+if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
+	// Get input
+	$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
+
+	// Feedback for end user
+	$html .= "<pre>Hello ${name}</pre>";
+}
+
+?>

dvwa/vulnerabilities/xss_r/source/impossible.php

@@ -0,0 +1,18 @@
+<?php
+
+// Is there any input?
+if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
+	// Check Anti-CSRF token
+	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
+
+	// Get input
+	$name = htmlspecialchars( $_GET[ 'name' ] );
+
+	// Feedback for end user
+	$html .= "<pre>Hello ${name}</pre>";
+}
+
+// Generate Anti-CSRF token
+generateSessionToken();
+
+?>

dvwa/vulnerabilities/xss_r/source/low.php

@@ -0,0 +1,9 @@
+<?php
+
+// Is there any input?
+if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
+	// Feedback for end user
+	$html .= '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
+}
+
+?>

dvwa/vulnerabilities/xss_r/source/medium.php

@@ -0,0 +1,12 @@
+<?php
+
+// Is there any input?
+if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
+	// Get input
+	$name = str_replace( '<script>', '', $_GET[ 'name' ] );
+
+	// Feedback for end user
+	$html .= "<pre>Hello ${name}</pre>";
+}
+
+?>