burpSuiteAcademy

BurpSuite Lab – DOM XSS in jQuery selector sink using a hashchange event

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property. To solve the lab, deliver an exploit to the victim that calls the print() function in their browser. The affected code is: Go to the exploit server: Add into the body the malicious iframe: <iframe src=»https://0a2e00cb036dbde4c0785e5d005a000a.web-security-academy.net/#» onload=»this.src+='<img src=1 onerror=print()>'»></iframe> Based on the documentation found in the

BurpSuite Lab – DOM XSS in jQuery anchor `href` attribute sink using `location.search` source

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $selector function to find an anchor element, and changes its href attribute using data from location.search. To solve this lab, make the «back» link alert document.cookie. This is the Submit feedback functionality: If we check the url, we can see a returnPath parameter: https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=/ This parameter is used here: To modify the back link with the value of the

BurpAcademy Lab – DOM XSS in innerHTML sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search. To solve this lab, perform a cross-site scripting attack that calls the alert function. As we can see here innerHTML sink used. Checking BurpAcademy DOM based Cross Site Scripting documentation. The innerHTML sink doesn’t accept script elements on any modern browser, nor will svg onload events fire. This means you will need to use alternative elements

Burp Suite Academy lab – DOM XSS in document.write sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL. To solve this lab, perform a cross-site scripting attack that calls the alert function. If we check the source code, we can see: as document.write() is who writes the query as part of an img tag we

Burp Suite Academy lab – Stored XSS into HTML context with nothing encoded

This lab contains a stored cross-site scripting vulnerability in the comment functionality.To solve this lab, submit a comment that calls the alert function when the blog post is viewed. Access to the lab https://0a7900e404a806d2c000170700c90074.web-security-academy.net Solution Click on View post button: https://0a7900e404a806d2c000170700c90074.web-security-academy.net/post?postId=6 At the bottom of the page, there is a comments section where you can add a message. We can try to use the comment system to place our payload. Now access again to

Burp Suite Academy lab – Reflected XSS into HTML context with nothing encoded

Today we start a new series of CTF lab solutions. In this case, we start to solve labs from the Burp Suite Academy from portswigger.net Objective: This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.To solve the lab, perform a cross-site scripting attack that calls the alert function. Solution: The lab’s URL is always a random series of characters followed by the domain web-security-academy.netIn this case,