We will start with DVWA in our vulnerable VM and set the security level to medium. Also, set Burp Suite as proxy for the browser:
- First, let's take a look at how the vulnerable page behaves at this security level. As shown in the following screenshot, when attempting to inject script code, the script tags are removed from the output:
- Send that request to repeater and issue it again. As it can be seen in the next screenshot, the opening script tag is removed:
- There are multiple ways in which we can try to overcome this obstacle. A very common mistake made when implementing this type of protection is to make case-sensitive comparisons when validating and sanitizing inputs. Send the request again, but this time change the capitalization of the word script, and use sCriPt instead:
- According to the output in Repeater, and as shown in the following screenshot, that change is sufficient to exploit a Cross-Site Scripting (XSS) vulnerability:
