π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π§ͺ DVWA LAB SERIES
FREE
Part of the DVWA Lab Series β 30 Labs
Lab 22 of 30 Β· 73% complete
β οΈ Authorised Lab Environment Only. Vulnerability chaining and webshell deployment techniques must only be performed on your own DVWA lab installation. These techniques against real applications without written authorisation constitute criminal offences under computer misuse legislation worldwide. All exercises target http://localhost/dvwa/ only.
Every lab in this series taught you one thing. XSS. CSRF. File upload. SQL injection. You learned each one in isolation, on its own page, with its own exploit. Thatβs not how real web application attacks work.
In a real engagement, XSS isnβt the finding β itβs the step that enables CSRF token theft, which enables the account takeover, which enables the admin file upload, which enables remote code execution. The individual vulnerabilities are links. The chain is the attack.
DVWA Vulnerability Chaining Lab 22 is where everything you learned in Labs 1 through 21 connects. Iβm walking you through a four-stage attack chain against DVWA where each stage uses the result of the previous one: XSS cookie theft β session hijack β CSRF β authenticated file upload β RCE. Run through this once and youβll never look at a single vulnerability in isolation again.
π― What Youβll Master in Lab 22
Understand the attack chain architecture β how XSS enables CSRF enables RCE
Build the XSS payload that extracts a CSRF token and forges a file upload request
Bypass DVWAβs file upload validation to upload a PHP webshell
Trigger the full automated chain from a single stored XSS injection
Document the combined impact for a penetration test or bug bounty report
β±οΈ 60 min lab Β· 3 terminal exercises Β· Localhost DVWA only #### π Prerequisites β Complete Before Lab 22 - Lab 19: XSS Cookie Theft β same-domain XSS execution that enables CSRF token extraction - Lab 20: CSRF Advanced β CSRF token bypass via XSS; Lab 22 extends this to file upload - Lab 21: SQL Injection High Security β multi-vector attack thinking applied to chaining - Lab 6: File Upload Lab β PHP webshell upload technique used in the final chain step ### π DVWA Vulnerability Chaining Lab 2026 1. The Three-Vulnerability Chain Architecture 2. Step 1 β Stored XSS as the Delivery Mechanism 3. Step 2 β CSRF Token Extraction and Forged File Upload 4. Step 3 β Webshell Deployment and RCE Confirmation 5. The Automated Full Chain β One Payload, Complete Compromise 6. Reporting Vulnerability Chains in Bug Bounty ## The Three-Vulnerability Chain Architecture I want to reframe how you think about vulnerability chaining before we touch the keyboard. Itβs not about clever combinations β itβs about following the logical consequence of each vulnerability to its next step. In this chain, each vulnerability removes one specific obstacle between the attackerβs initial foothold and the final objective of server-level code execution.
Problem 1: The attacker wants to upload a PHP webshell to the server. DVWAβs file upload endpoint requires an authenticated session and a valid CSRF token. The attacker cannot directly forge a valid upload request because they donβt have the CSRF token. XSS solves this: by injecting JavaScript into the stored XSS guestbook, the attacker runs code within the victimβs authenticated browser session on the same domain β code that can read the CSRF token from any page on the same domain.
Problem 2: Even with the CSRF token, the file upload endpoint validates that only image files are accepted. Raw PHP shell scripts are rejected. File upload bypass solves this: changing the Content-Type header, using double extensions, or embedding PHP code in a file with an image extension bypasses client-side and basic server-side validation.
Problem 3: The attacker wants this to happen automatically without the victim taking any action beyond loading a page. Stored XSS solves this: a payload stored in the guestbook fires automatically for every authenticated user who views it β no user interaction required beyond page load.
securityelites.com
XSS + CSRF + File Upload β Three-Vulnerability Chain
β STORE:
Attacker injects XSS payload into guestbook β stored, fires on every pageview
β‘ TRIGGER:
Authenticated admin views guestbook β XSS JavaScript runs in their browser
β’ TOKEN STEAL:
XSS fetch() reads CSRF token from file upload page (same domain, allowed)
β£ FORGE UPLOAD:
XSS uses token to forge multipart POST β uploads shell.php disguised as shell.php.jpg
β€ RCE:
Attacker accesses /uploads/shell.php β remote code execution on the server
πΈ The three-vulnerability attack chain. Each step converts one vulnerability into the capability needed for the next. The final result β server-level RCE β would require server exploit access if attempted directly. Through chaining three medium-severity web vulnerabilities, the same result is achieved without exploiting any server software at all. The entire chain is triggered automatically when any authenticated user views the guestbook page.
Step 1 β Stored XSS as the Delivery Mechanism
The chain starts with the stored XSS guestbook vulnerability from Lab 19. The key technique is identical: use browser DevTools to expand the maxlength attribute on the message textarea from 50 to 500 characters, then inject the full attack JavaScript payload into the message field. The payload will fire for every authenticated user who loads the guestbook page after the injection.
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)