The assumption is that you are here because you are either trying to learn about web app pen testing or you are stuck on one of the challenges. Everyone has their own way that they like to approach web applications. This is mine. We will end up at the same place so don’t get too hung up on style, focus on content.
All of the posts here are spoilers
To setup for all of the different challenges in DVWA you need to set the security level. This is relatively simple, just click the DVWA Security button and set the level through the interface.
XSS Reflected – Low
I have security set to low and I have clicked on the XSS Reflected button. Nice test box huh? Well now what are you doing to do? I like to jump right in and start stuffing things in there. No foreplay or anything.
Why didn’t I go right for an alert(‘XSS’)? I like to see if HTML injection is possible at the same time. Feel free to skip that step and go straight to <script>alert(“XSS”)</script>. Look at that! HTML injection is possible. Let us go back and see if we can get a script to run.
TL;DR <script>alert(“XSS”)</script>
XSS Reflected – Medium
Set the DVWA Security to Medium and throw that script back in there.
Why didn’t that work? Time to dig into the page source. If you read the PHP by clicking on the View Source button the fumction checks for a null string. Then replaces the string <script> with ‘’ if it is found. That is super effective tools or testers that only use the exact string <script>. If you change it up a bit by adding capitalization <SCRipT> or <ScriPt> it doesn’t match and str_replace just passes it through. The PHP function is case sensitive but HTML is not.
TL;DR <SCRipt>alert(“XSS”)</scrIPT>
XSS Reflected – High
The High challenge uses the PHP function htmlspecialchars function to escape special characters. I have tried to encode the string in multiple ways and have not figured out a way to run a script. This is the correct way to handle user inputs and might be breakable but I haven’t found a way around it yet.