Our Scenarios


XVWA - Stored Cross-Site Scripting (XSS)

This lab shows step-by-step how to identify and exploit a Stored Cross-Site Scripting (XSS) vulnerability on the Xtreme Vulnerable Web Application (XVWA) to gain unauthorized access to other user accounts.

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose.

Why are Cross-Site Scripting (XSS) important?

XSS is one of the most prevalent type of weaknesses found in the wild. Even in 2019, XSS is considered a major threat vector. According to HackerOne, XSS was the most common vulnerability type discovered by hackers using their platform from 2013 to 2017. The consequences of a successful XSS attack vary depending on the nature and sensitivity of the data handled by the affected web application.

What you will learn?

  • What is Stored XSS.
  • How to identify Stored XSS vulnerabilities.
  • How to exploit a Stored XSS vulnerability to gain unauthorized access to other user accounts.

Technical Details

  • This scenario contains one virtual machine.
  • VPN Connection Required: Optional
  • This lab can be completed by either connecting to the CR VPN or by simply utilizing the Web Proxy feature.
  • The examples demonstrated throughout this scenario are based on Linux.

Scenario Pre-requisites

In order to benefit from this scenario it is recommended you have competence in the following areas: 1. Basic understanding of the HTTP protocol 2. How web applications work behind the scenes 3. How to use an HTTP Intercepting Proxy 4. Basic understanding of JavaScript 5. Basic Linux command line knowledge

About the Author

Marios holds a BSc Computer Science degree from Northumbria University and an MSc degree in Cyber Security from the University of York. He is one of the OWASP Cyprus Chapter Leaders and he is passionate about web application security. He likes to spend his free time mastering his backgammon skills.