Send files to get some shells

Direct access to hidden assets

Manipulate your targets

Find the password

Extract the database by changing your username

Think outside the box when passing parameters

Discover how third party code can get you pwned

Explore the limits of client side controls

Get in the dev's mindset to access the assets

Under the dom

First attacks with Burp

First launch of Burp Suite

Run DVWA with Docker

Store scripts in unusual places

XSS yourself