Reflected XSS
Lab: DVWA
Scenario: Reflected Cross-Site Scripting
Difficulty: Beginner
Estimated Time: 25 minutes
Learning Objectives
By the end of this scenario, you will be able to:
- Identify reflected XSS vulnerabilities
- Understand how reflected XSS attacks work
- Exploit basic reflected XSS vulnerabilities
- Implement detection and prevention measures
Setup
Prerequisites
- DVWA lab running at CSN Labs
- Web browser (Chrome/Firefox recommended)
- Security level set to "Low"
Initial Configuration
- Log into DVWA
- Set security level to "Low"
- Navigate to "Reflected XSS" module
Scenario Story
You are testing a web application's search functionality. The application displays user input directly in the response without proper sanitization. Your goal is to understand how reflected XSS works and how an attacker could exploit this vulnerability.
Step-by-Step Walkthrough
This scenario walkthrough will be completed with detailed steps.
Why This Works
Reflected XSS occurs when user input is immediately reflected in the application's response without proper encoding or sanitization.
Defender Notes
How to Detect
- Monitor for script tags and JavaScript in user input
- Look for encoded payloads in application logs
- Set up WAF rules to block common XSS patterns
How to Prevent
- Output Encoding: Encode all user input before displaying it
- Content Security Policy (CSP): Implement CSP headers
- Input Validation: Validate and sanitize all user input
- Use Framework Features: Leverage framework's built-in XSS protection
Try These Variations
Easy
- Try different XSS payloads
- Test with encoded characters
Medium
- Attempt to bypass basic filters
- Test in different contexts (HTML, JavaScript, attributes)
Hard
- Try advanced encoding techniques
- Attempt to bypass CSP
Evidence Checklist
Capture screenshots of:
- Initial input field
- Successful XSS execution
- Browser console showing script execution
Next Steps
- Return to DVWA Lab Overview
- Try the next scenario: Stored XSS
- Explore CSN Labs for more challenges