Forum

Not Block XSS Stored

Edwin
20 September 2016, 05:32

Edwin
20 September 2016, 04:34
Hi..

Hi..
I installed Hiawatha how reverse proxy, and I´m doing attacks of XSS stored, but Hiawatha not block. Please that you recommend me. The reflected XSS attack itself is blocked..

TKS

TKS
Hugo Leisink
20 September 2016, 20:46
Have you set the PreventXSS setting?
Edwin
21 September 2016, 04:48
yes, it´s, PreventXSS = block, but not block the stored, only XSS reflected, for the attack I use "<SCRIPT>alert("XSS");</SCRIPT>"..
Hugo Leisink
22 September 2016, 09:10
Do you have a sample URL?
Edwin
24 September 2016, 21:43
I am using DVWA (Damn Vulnerable Web App), The URL is: http://192.168.1.62/dvwa/vulnerabilities/xss_s/,

Attack: <SCRIPT>alert("XSS");</SCRIPT>, this attack is side client

El Log (access.log) is :
192.168.1.11|Thu 15 Sep 2016 06:22:10 -0500|200|6678||POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1|Host: 192.168.1.62|User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0|Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8|Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3|Accept-Encoding: gzip, deflate|Referer: http://192.168.1.62/dvwa/vulnerabilities/xss_s/|Connection: keep-alive|Upgrade-Insecure-Requests: 1|Content-Type: application/x-www-form-urlencoded|Content-Length: 96
192.168.1.11|Thu 15 Sep 2016 06:22:10 -0500|304|796||GET /dvwa/dvwa/css/main.css HTTP/1.1|Host: 192.168.1.62|User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0|Accept: text/css,*/*;q=0.1|Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3|Accept-Encoding: gzip, deflate|Referer: http://192.168.1.62/dvwa/vulnerabilities/xss_s/|Connection: keep-alive|If-Modified-Since: Mon, 05 Oct 2015 07:51:07 GMT|If-None-Match: "4012e-fba-52156c6a290c0"
192.168.1.11|Thu 15 Sep 2016 06:22:10 -0500|304|783||GET /dvwa/dvwa/js/dvwaPage.js HTTP/1.1|Host: 192.168.1.62|User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0|Accept: */*|Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3|Accept-Encoding: gzip, deflate|Referer: http://192.168.1.62/dvwa/vulnerabilities/xss_s/|Connection: keep-alive|If-Modified-Since: Mon, 05 Oct 2015 07:51:07 GMT|If-None-Match: "4013f-307-52156c6a290c0"
192.168.1.11|Thu 15 Sep 2016 06:22:10 -0500|304|786||GET /dvwa/dvwa/images/logo.png HTTP/1.1|Host: 192.168.1.62|User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0|Accept: */*|Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3|Accept-Encoding: gzip, deflate|Referer: http://192.168.1.62/dvwa/vulnerabilities/xss_s/|Connection: keep-alive|If-Modified-Since: Mon, 05 Oct 2015 07:51:07 GMT|If-None-Match: "40135-13b4-52156c6a290c0"
Hugo Leisink
27 September 2016, 11:05
At the moment, Hiawatha only protects against XSS attacks via the URL (it protects a potential victim). There was a reason I didn't include a check for it in POST requests, but can't remember why. Will fix this for the next release.
This topic has been closed.