This lab helped me understand how improperly handled user input can allow attackers to inject and execute malicious JavaScript in a victim's browser. I learned the difference between reflected and stored XSS, how browsers interpret injected scripts, and why input validation is critical.

One of the main challenges was configuring the vulnerable environment correctly, especially setting permissions and database connections for DVWA. Understanding why some payloads worked while others didn't also required experimenting with different JavaScript contexts.

Why XSS Matters in the Real World

XSS is one of the most common web vulnerabilities and can lead to:

Session hijacking

Credential theft

Defacement

Malware delivery

Many real-world breaches occur due to simple failures in output encoding and input sanitization, making XSS a high-impact vulnerability even today.

This lab reinforced the importance of secure coding practices such as input validation, output encoding, and Content Security Policies (CSP). It also demonstrated how easily attackers can exploit vulnerable applications when security is overlooked.