Skip to content

Cross-site Scripting⚓︎

Difficulty:
Direct link: TryHackMe - OWASP

Objective⚓︎

Task 20

The VM attached to this task showcases DOM-Based, Reflected and Stored XSS. Deploy the machine and exploit each type!

Hints⚓︎

Question 1 Hint

Take a look at some HTML tags here.

Question 2 Hint

You can get the pages documents using document.cookies in Javascript
If you right click on this page, and select "Inspect Element", it will open your browsers Development Tools. You can execute Javascript in the console tab.

Question 3 Hint

Now you know you can execute Javascript directly on the webpage, you can use it to change elements on the page

Try running this in your Developer Tools console document.querySelector('#thm-title').textContent = 'Hey'

Solution⚓︎

Task 20.1

Navigate to in your browser and click on the "Reflected XSS" tab on the navbar; craft a reflected XSS payload that will cause a popup saying "Hello".

This one we are able to find the payload in the reading. First, deploy the VM for this task and when the IP address is available, paste it in the browser of your attack machine and follow the prompt to select "Reflected XSS".

XSS Playground

XSS Playground

Reflective

This page is where we will inject our script

Reflected XSS

Using the payload from the reading, inject the script in the search bar and hit "Search".

Payload
1
<script>alert("Hello")</script>

payload

The popup gives us the flag instead of our injected string

Task 20.2

On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

Hint

In Javascript window.location.hostname will show your hostname, in this case your deployed machine's hostname will be its IP.

So given the hint provided, we can craft a similar payload to the one we just sent, replacing "Hello" with window.location.hostname so it would look like this:

Script

Use this script to trigger a new flag.

Payload 2
1
<script>alert(window.location.hostname)</script>

xss

Reflected XSS exfiltrating information

Task 20.3

Now navigate to in your browser and click on the "Stored XSS" tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.

So the first step is navigating to the "Stored XSS" page and registering an account.

Stored XSS

Account creation page

I used a generic test:test username and password to register an account which default logged me in.

logged in

Logging in should take you to the "Stored XSS" submission page.

It helps to be familiar with HTML at this point, however it is not strictly necessary. If you are unfamiliar with HTML, you can read up about it more here. You can also select the hint link that is on the page to see the clues listed above under Hints.

So I tried using a simple test by using raw HTML in the comment section.

Script

I submitted this to the comment section before reading through the hints. <h1>This is a test</h1>.

HTML

Stored XSS

Task 20.4

On the same page, create an alert popup box appear on the page with your document cookies.

This task seems to match the hint for question 2 from the "Stored XSS" page. Using the Dev Tools and Console, we can see the result of using the document.cookie.

DOM

Now we can see the cookie

The instruction in the room however, says to create an alert popup. This means using the same Javascript injection we used earlier, combining it with the HTML script and trying to get the alert to pop on screen with the cookie. To do this I inserted my payload into the "Add a comment" section and sent it.

Flag

We can see that the popup matches the cookie shown in the Dev Tools.

Script

Submit <script>alert(document.cookie)</script> in the comment section. alert() will trigger the popup while document.cookie grabs the session cookie.
Once we select "OK" the flag will also popup
flag

Task 20.5

Change "XSS Playground" to "I am a hacker" by adding a comment and using Javascript.

Title

This needs to be changed to "I am a hacker"

The hint for this one gives us the script or command we need to use.

hey

document.querySelector('#thm-title').textContent = 'Hey'

We can just plug in the phrase that is needed to trigger the flag with the script provided into the DevTools Console:

Provided Script
1
document.querySelector('#thm-title').textContent = 'I am a hacker'

hacker

The title was changed with the console

Unfortunately, this didn't actually trigger the flag. I tried refreshing the page with no success. So I tried once again with just submitting it as a comment on the page.

Script

Submit the HTML script as a comment to the page to trigger the flag.

xss-flag

Wrap Up⚓︎

This is a common attack vector that I was relatively familiar with but the next issue with Incesure Deserialization was new to me.