Our Scenarios

DVWA-Stored XSS #2

Stored Cross-Site Scripting (XSS) # 2

This lab shows step-by-step how to identify and exploit a Stored Cross-Site Scripting (XSS) vulnerability on the Damn Vulnerable Web Application (DVWA) to redirect victims to third-party websites. During this lab, the Security Level of the DVWA is set to MEDIUM.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is intentionally vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Why are Cross-Site Scripting (XSS) important?

XSS is one of the most prevalent type of weaknesses found in the wild. Even in 2019, XSS is considered a major threat vector. According to HackerOne, XSS was the most common vulnerability type discovered by hackers using their platform from 2013 to 2017. The consequences of a successful XSS attack vary depending on the nature and sensitivity of the data handled by the affected web application.

What you will learn?

  • What is Stored XSS.
  • How to identify Stored XSS vulnerabilities.
  • How to exploit a Stored XSS vulnerability to redirect victims to third-party websites.


  1. https://portswigger.net/web-security/cross-site-scripting
  2. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
  3. https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
  4. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Technical Details

This scenario contains one virtual machine. VPN Connection Required: Yes

Scenario Pre-requisites

In order to benefit from this scenario it is recommended you have competence in the following areas: 1. Basic understanding of the HTTP protocol 2. How web applications work behind the scenes 3. How to use an HTTP Intercepting Proxy