The payload is executed within the immediate response to the request where it is injected.
The payload is injected into a persistent datastore and then executes later in response to that payload being being retrieved from the datastore.
DVWA - Reflected Low
DVWA - Reflected Medium
Referring to source code, a str_replace function has be added to filter out the word
< script>replacing it with a blank space. However, we can bypass this by using all capitals
< SCRIPT> instead.
In these cases, it is often a good idea to also try a mixture or upper and closer case on the
script tag, for example:
DVWA - Reflected High
Referring to the source code, a regular expression is being used to filter out the individual letters that make up the word script. Instead of using the work script we can try to use a bypass such as the img tag or a body tag:
< BODY ONLOAD=alert('XSS')>