After confirming DVWA Was running locally on my own browser I then open up zap typed in my locally browser and went straight to XSS Reflected. In the what's your name I simply typed in TEST TEST.

After letting this machine run a little I went and looked at the traffic captured to see if it captured the URL I needed.

Instead of doing the last two scans I decided on something new and wanted to inject a payload using the fuzzer. After opening the link in fuzzer and highlighting the name part I inject a simple payload to test and see if I can find an XSS.

After running this simple payload I got my answer and the proof I needed that and XSS vulnerability exist.