Attack DVWA XSS(reflected)

First do the preparation as described in Attack DVWA weak session IDs

Then come to XSS(reflected) section and try some normal payload.

We don't know what happened here, so come to PentestSuite and check the Javascript code.

Find the request in Proxy-Message list, and click resend button, finally send the message through Message Generator.

Find the <script> has been removed by WAF. Then try <Script>.

We bypassed WAF, definitely. That's easy but its security level in DVWA is medium.

So we directly use payload:

<Script>alert('jdjdd')</script>

will make it.