As mentioned in the previous chapter, XSS attacks are done by exploiting vulnerabilities in a dynamically created web page. This allows an attacker to inject client-side scripts into web pages viewed by other users. When an unsuspecting user visits a web page that contains XSS, the user's browser will begin to execute the malicious script in the background without the victim realizing.

In the following exercises, we'll be using both WebGoat and bWAPP on an OWASP BWA virtual machine:

The username/password for WebGoat is guest/guest. The username/password for bWAPP is bee/bug.

Next, we will take a look at reflected XSS.