This report documents a Reflected Cross-Site Scripting (XSS) vulnerability identified in DVWA during security testing.
Testing Type: Offensive + Defensive Analysis
Environment: Local Lab
Security Level Tested: Low
- Vulnerability Name: Reflected XSS
- Severity: High
- Category: OWASP Top 10 – Cross-Site Scripting
- Affected Module: DVWA – XSS (Reflected)
The application reflects user input directly into the web page without proper validation or output encoding.
This allows execution of arbitrary JavaScript in the victim's browser.
<script>alert('XSS')</script>
- Login to DVWA.
- Navigate to XSS (Reflected) module.
- Enter the payload in the input field.
- Submit.
A JavaScript alert popup appeared displaying:
XSS
This confirms successful execution of injected script.
The application directly prints user input into the HTML response without escaping special characters.
Because the input is not sanitized, the browser interprets it as executable JavaScript.
If exploited in real-world applications, attackers could:
- Steal session cookies
- Hijack user sessions
- Redirect users to malicious websites
- Perform phishing attacks
- Modify page content dynamically
- No input validation
- No output encoding
- Direct reflection of user input in HTML
Severity Level: High
Reason: Client-side code execution and session hijacking possible.
To prevent XSS:
- Implement output encoding
- Use htmlspecialchars() in PHP
- Validate and sanitize user input
- Use Content Security Policy (CSP)
Secure Example (Conceptual):
echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
This testing was performed in a controlled lab environment (DVWA) strictly for educational purposes.