From the OWASP Mutilliae II menu, select Login by navigating to OWASP 2013 | A3 - Cross Site Scripting (XSS) | Persistent (First Order) | Add to your blog:
Place some verbiage into the text area. Before clicking the Save Blog Entry button, let's try a payload with the entry:
Switch to the Burp Proxy | Intercept tab. Turn Interceptor on with the button Intercept is on.
While Proxy | Interceptor has the request paused, insert the new payload of <script>alert(1);</script>immediately following the verbiage you added to the blog:
Click the Forward button. Turn Interceptor off by toggling to Intercept is off.
Return to the Firefox browser and see the pop-up alert box displayed:
Click the OK button to close the pop-ups. Reload the page and you will see the alert pop-up again. This is because your malicious script has become a permanent part of the page. You've successfully shown a proof of concept (PoC) for the stored XSS vulnerability!
