Let's learn how to discover these kinds of vulnerabilities. The method is very similar to SQL injection. First, you browse through your target and try to inject into any textbox or URL that looks similar. Whenever you see a URL with parameters, try to inject something=something as parameters, or try to inject into textboxes. Let's have a look at a reflected XSS example. These are the non-persistent, non-stored vulnerabilities where we have to actually send the code to the target, and once the target runs the code, it will be executed on their machine.

Let's have a look at our DVWA website and log into it. Inside the DVWA Security tab on the left-hand side of the following screenshot, we are going to set the Script Security ...