Discovering Basic Reflected XSS (cross-site scripting)

The Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies for web application security audits.

Launching OWASP

In Kali Linux, OWASP is preloaded in its toolkit so we don’t have to install it separately. We just need to launch OWASP from its menu.

We will read and accept the license. Now, we can see the main OWASP screen.


Downloading DVWA

We have successfully downloaded the application. Now, we are navigating into the download directory and then we will extract the newly downloaded zip file.

root@kali:~# cd Downloads

root@kali:~/Downloads# unzip -d /var/www/html/


Navigated into Var directory.

Navigated into WWW directory.

Navigated into HTML directory.

Renaming folder to a new name.

Navigated into Config directory.

Opening the PHP file in the configuration directory.

Changed its current address to localhost and created a password to the database.

We are going to work on our localhost. That’s why we have to run MySQL and apache services from our terminal:

root@kali:/var/www/html# service apache2 start

root@kali:/var/www/html# service mysql start

Launching DVWA

We created a database connection and then logged in with our credentials:

Scanning and finding XSS

To scan for XSS vulnerability in DVWA, we launched OWASP and added the localhost address of our machine in the target URL box.

Now, OWASP is scanning DVWA:

Our scan is complete. On the left side, we can see the active vulnerabilities discovered by OWASP. We have successfully managed to discover a Reflected XSS, which was our today’s goal. It is shown in the following figure: