1)
This flaw exists because the application does not validate the "nickname" variable upon submission to the post.php script via the POST method.
h**p://www.[target]/post.php?nickname="><script>alert('XSS')</script><!–