- Navigate to OWASP 2013 | A1 – Injection (Other) | JavaScript Injection | Password Generator:
- Note after clicking the Generate Password button, a password is shown. Also, note the username value provided in the URL is reflected back as is on the web page: http://192.168.56.101/mutillidae/index.php?page=password-generator.php&username=anonymous. This means a potential XSS vulnerability may exist on the page:
- Switch to the Burp Proxy HTTP history tab and find the HTTP message associated with the Password Generator page. Flip ...