## https://sploitus.com/exploit?id=4B2C0596-6628-5476-9821-A8DF2B1FD4A2
# DVWA XSS Lab
## Project Introduction
This project creates a web security testing environment based on DVWA (Damn Vulnerable Web Application). It uses Burp Suite to manually test and reproduce XSS (Cross-Site Scripting) vulnerabilities. The main tasks of this project include:
- Reflected XSS
- Stored XSS
- XSS Filter Bypass
- DOM XSS
- Burp Suite packet capture analysis
- Repeater for manually modifying payloads
- Construction and verification of XSS payloads
---
## Technology Stack
- Docker
- DVWA
- Burp Suite
- JavaScript
- HTML
- HTTP
- XSS
---
## Project Environment
- Windows 10
- Docker Desktop
- DVWA
- Burp Suite Community Edition
- Google Chrome
---
## Project Structure
```text
dvwa_xss_lab/
โ
โโโ README.md
โ
โโโ payloads/
โ โโโ xss_payloads.txt
โ
โโโ reports/
โ โโโ xss_report.md
โ
โโโ screenshots/
โโโ xss_reflected_page.png
โโโ xss_reflected_alert.png
โโโ burp_xss_request.png
โโโ burp_xss_repeater_response.png
โโโ stored_xss_page.png
โโโ stored_xss_alert.png
โโโ stored_xss_persistent.png
โโโ burp_stored_xss_request.png
โโโ burp_stored_xss_response.png
โโโ xss_filter_block.png
โโโ xss_bypass_success.png
โโโ burp_filter_response.png
โโโ dom_xss_page.png
โโโ dom_xss_alert.png
โโโ burp_dom_xss_request.png
```
---
## Starting the DVWA Environment
Enter the DVWA project directory, then start Docker:
```bash
docker compose up -d
```
Access from a browser:
```text
http://localhost:4280
```
Log in with the username:
```text
admin
```
Password:
```text
password
```
---
## Experiment Content
### 1. Reflected XSS
Go to:
```text
XSS (Reflected)
```
Test the payload:
```html
alert(1)
```
If the page displays `1`, it means that reflected XSS was successfully executed.
### 2. Stored XSS
Go to:
```text
XSS (Stored)
```
Enter in the comment box:
```html
alert(1)
```
Refresh the page after submitting the comment. If a pop-up still appears, it means that the payload has been stored in the database.
### 3. XSS Filter Bypass
Set DVWA Security to Medium to test whether basic payloads are filtered. Test bypass payloads like:
```html
[Payload]
```
And:
```html
[Another Payload]
```
This demonstrates that even when the website only filters certain types of attacks, other HTML events may still bypass the filter.
### 4. DOM XSS
Go to:
```text
XSS (DOM)
```
Test URL parameters:
```text
default=alert(1)
```
The encoded form of this payload:
%3Cscript%3Ealert%281%29%3C%2Fscript%3E
The core of DOM XSS is that front-end JavaScript reads URL parameters and injects them into the page, causing the browser to execute malicious scripts. ---
## Screenshot of Experiments
### Reflected XSS Page

---
### Successful Reflected XSS Popup

---
### Burp Capturing Reflected XSS Requests

---
### Burp Repeater Returning Results

---
### Stored XSS Page

---
### Successful Stored XSS Popup

---
### Persistence of Stored XSS

---
### Burp Capturing Stored XSS Requests

---
### Burp Stored XSS Response

---
### XSS Filter Blockage

---
### Successful XSS Bypass

---
### Analysis of Burp Filter Responses

---
### DOM XSS Page

---
### Successful DOM XSS Popup

---
### Burp Capturing DOM XSS Requests

---
## Vulnerability Report
Detailed experiment procedures and vulnerability analysis:
[reports/xss_report.md](https://reports.xmh.io/report/xss_report.md)
---
## Payload Files
XSS Payloads:
[payloads/xss_payloads.txt](https://reports.xmh.io/reports/xss_report.md#payloads)
---
## Project Summary
This project demonstrated the reproduction and analysis of XSS vulnerabilities in DVWA, including reflected XSS, stored XSS, filter bypass, and DOM XSS. Through this project, we learned:
- The basic principles of XSS vulnerabilities
- How to construct JavaScript payloads
- How to trigger HTML events
- How to analyze Burp Suite packet capture
- How to manually test Repeater devices
- How to analyze URL encoding
- The basic principles of DOM XSS
---
## Disclaimer
This project is solely for web security learning, vulnerability reproduction, and research purposes. It is prohibited from being used for any illegal purposes.