Burp Suite Academy lab – Stored XSS into HTML context with nothing encoded

This lab contains a stored cross-site scripting vulnerability in the comment functionality.
To solve this lab, submit a comment that calls the alert function when the blog post is viewed.

Access to the lab

https://0a7900e404a806d2c000170700c90074.web-security-academy.net

Solution

Click on View post button:

https://0a7900e404a806d2c000170700c90074.web-security-academy.net/post?postId=6

At the bottom of the page, there is a comments section where you can add a message.

We can try to use the comment system to place our payload.

Now access again to the post and a popup will appear.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *