Cross-site scripting (XSS) is one of the most common vulnerabilities in web applications, in fact, it is considered third in the OWASP Top 10 from 2013 (https://www.owasp.org/index.php/Top_10_2013-Top_10).
In this recipe, we will see some key points to identify a cross-site scripting vulnerability in a web application.
Log into DVWA and go to XSS reflected.
The first step in testing for vulnerability is to observe the normal response of the application. Introduce a name in the text box and click on Submit. We will use
Bob
.The application used the name we provided to form a phrase. What happens if instead of a valid name we introduce some special characters or numbers? Let's try with
<'this is the 1st test'>
.Now we can see that anything we put in the text box will be reflected in the response, that is, it becomes a part of the HTML page in response. Let's check the page's source code to analyze how it presents the information...