I have been given permission to run OWASP Zap on a web application. I don't have a lot of experience of pen testing so it's all a bit new to me.
I ran Zap on the application and it came up with a High severity alert relating to DOM based XSS.
The attack was #javascript:alert(1) and it gave me a URL <my web app URL>#javascript:alert(1). The method used was POST.
The page in the web app that the vulnerability is in is a form.
I would like to manually reproduce this issue and see the alert and was wondering how I can go about this?
I tried pasting the URL into the browser but this is doing a GET not a POST.
I also tried to use Firefox developer tools to change the request to a POST and then resend it but I still couldn't see the alert.
You can use burprepeater in burpsuite comunity. In the request you can change method to post.
You can change your request and copy when you belive that the request run fine. Then you can do a Curl -X in your terminal if you belive its necesary why burpsuite its only you need
Try this and coment. Regards