[Type here] Web Application Security
(303105320)
PRACTICAL:01
Aim:- To perform XSS(Cross-Script Scripting)
Intro:- XSS (Cross-Site Scripting) is a common web security vulnerability that allows
an attacker to inject malicious scripts (usually JavaScript) into web pages viewed by
other users. If a website does not properly validate or sanitize user inputs, attackers can
exploit this flaw to steal session cookies, deface websites, or redirect users to
malicious pages.
Types of XSS:-
1. Stored XSS (Persistent)
Some nasty code got stored on the server, like in a database
anyone who visits the page with the virus gets hit by it.
Example: Comment boxes, forums, profiles.
2. Reflected XSS (Non-Persistent)
when someone tries to mess with a website (like through a link or a form), they
can see the bad code they sent back
Someone got tricked into clicking a link that was made to look legitimate.
when you type stuff into a search or get error messages, it's showing what you've
put in.
3. DOM-Based XSS
the script gets put into the client's browser code and messes with the webpage's
structure and content.
the weakness is actually in the JavaScript code, not the server side
Example: Using location, hash or document.URL without sanitization.
Installation Required:-
XAMPP
DVWA
1|Page
2303031260034
�[Type here] Web Application Security
(303105320)
Procedure to perform XSS
Step1. Install XAMPP.
XAMPP is a free and open-source cross-platform web server solution stack package
developed by Apache Friends, consisting of:
X = Cross-platform (Windows, Linux, macOS)
A = Apache (Web Server)
M = MySQL / MariaDB (Database)
P = PHP (Scripting Language)
P = Perl (Scripting Language)
Download XAMPP:
Go to https://www.apachefriends.org/index.html
Choose the version for your OS.
Install:
Run the installer and follow steps.
Install Apache, MySQL, PHP (default options are fine).
2|Page
2303031260215
�[Type here] Web Application Security
(303105320)
Launch XAMPP Control Panel:
Start Apache and MySQL services.
Test Server:
Open browser → go to http://localhost/ → XAMPP welcome page appears.
3|Page
2303031260215
�[Type here] Web Application Security
(303105320)
Step2. Install DVWA
DVWA is a deliberately vulnerable PHP/MySQL web application designed for security
professionals and ethical hackers to practice common web exploits like:
XSS (Cross-Site Scripting)
SQL Injection
File Upload vulnerabilities
CSRF, Command Injection, etc.
Download it:-
Go to https://github.com/digininja/DVWA.
Click Code → Download ZIP.
Extract the folder and rename it to dvwa.
Step3. Move the extracted dvwa folder to:
C:\xampp\htdocs\
4|Page
2303031260215
�[Type here] Web Application Security
(303105320)
Step4. Configure Database
1. Open the file:
C:\xampp\htdocs\dvwa\config\config.inc.php.dist
2. Rename it to:
config.inc.php
Step5. Open it in Notepad and set database settings like this:
$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = ''; // empty password
Step6. Save and close.
Step7. Setup Database
Open your browser and go to:
http://localhost/dvwa/setup.php
5|Page
2303031260215
�[Type here] Web Application Security
(303105320)
Step8. Reset the database
6|Page
2303031260215
�[Type here] Web Application Security
(303105320)
StepG. Login in it.
default credentials :-
Username: admin
Password: Password
Step10. Set Security Level (for XSS Testing)
After logging in, go to DVWA Security → Security Level.
7|Page
2303031260215
�[Type here] Web Application Security
(303105320)
Set it to Low to practice basic XSS without filters.
Step10. Go to XSS REFLECTED
Add the script in what’s your name: -
<Script>alert(“Hacked”)</Script>
Output:
8|Page
2303031260215
�[Type here] Web Application Security
(303105320)
Step11. Now go to XSS STORE
Add name: webapp
message: <Script>alert(“You’re Hacked!”)</Script>
Output:
CONCLUSION:
Conducting XSS (Cross-Site Scripting) attacks using XAMPP and DVWA (Damn
Vulnerable Web Application) provides a safe, offline environment to learn and
understand how real-world web vulnerabilities can be exploited — and more
importantly, how to prevent them.
G|Page
2303031260215
