In Mutillidae, security is changeable, with 0 having no security and 5 being server side security. In between those is client security, meaning there is no server side encryption of user input or sanitation, every security measure is at the client level (i.e. filtering certain characters).

On the DNS lookup page in Mutillidae, with security level 1, we type in

<.script>alert(0)</.script>

Remember to remove the periods

And we get a message saying

So no special characters. However, what if we intercept the message via Burp Suite and modify it? Notice how when we typed in the script and hit enter, the page didn’t refresh and it instantly didn’t allow it, this means it didn’t get to the server which means the server didn’t do any validation, it was all in the browser utilizing AJAX.

We try again but this time we just send in a message like “hello” and intercept it via Burp.

We have the request so lets go ahead and modify “hello” to a script.

We then forward it to the website and

boom!