[EN] TryHackMe 25 Days of Cyber Security: Day 6 Walkthrough

[Day 6] Web Exploitation Be careful with what you wish on a Christmas night

What is XSS?

Cross-site scripting (XSS) is a web vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, and carry out any actions that the user is able to perform. If the victim user has privileged access within the application (i.e admin), then the attacker might be able to gain full control over all of the application’s functionality and data. Even if a user is a low privileged one, XSS can still allow an attacker to obtain a lot of sensitive information.

Why does it work like that?

XSS is exploited as some malicious content is being sent to the web browser, often taking the form of JavaScript payload, but may also include HTML, Flash, or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but all of them come down to exactly two types: stored and reflected.

Types of XSS

Stored XSS works when a certain malicious JavaScript is submitted and later on stored directly on the website. For example, comments on a blog post, user nicknames in a chat room, or contact details on a customer order. In other words, in any content that persistently exists on the website and can be viewed by victims.

Reflected is another type of XSS that is carried out directly in the HTTP request and requires the attacker to do a bit more work. An example of this could be malicious javascript in the link or a search field. The code is not stored on the server directly, meaning that a target user should compromise himself by clicking the link.

How to detect XSS?

Both reflected and stored XSS vulnerabilities can be detected in a similar way: through the use of HTML tags, such as <h1></h1>, <b></b> or others. The idea is to try out inputting text with those tags and see if that produces any differences. Any change in text size or color immediately indicates an XSS vulnerability.

Bonus: Mitigating XSS

The rule is simple: all user input should be sanitized at both the client and server-side so that potentially malicious characters are removed. There are libraries to help with this on every platform.
Smart developers should always implement a filter to any text input field and follow a strict set of rules regarding processing the inputted data.


1. Deploy your AttackBox (the blue “Start AttackBox” button) and the tasks machine (green button on this task) if you haven’t already. Once both have deployed, open Firefox on the AttackBox and copy/paste the machines IP (http://MACHINE_IP:5000) into the browser search bar (the webserver is running on port 5000, so make sure this is included in your web requests)

[No Answer Needed]

2. What vulnerability type was used to exploit the application?

The ‘Make a Wish’ website mechanics work by storing/saving value entered in the form and write into memory, just like a comments on social media. Based on what we have founded, the type of the vulnerability is ‘Stored Cross Site Scripting’.

3. What query string can be abused to craft a reflected XSS?

For example, if we look for ‘book’ the url would change into:


As we all know, in the URL the question mark (?) specify that a GET method is used in query, ‘q’ is the parameter, and after the equal sign (=) is the parameter’s value. A Reflected XSS query string in URL would look like this:

4. Launch the OWASP ZAP Application

OWASP ZAP Interface

[No Answer Needed]

5. Run a ZAP (zaproxy) automated scan on the target. How many XSS alerts are in the scan?

On the OWASP ZAP interface, click on ‘Automated Scan’ on the right. Paste the URL of the target website, and press ‘attack’. The scan could take several minutes, could be much longer. If it’s done, go to ‘alerts’ tab and analyze the results. As we can see in the picture, there is 2 alerts on reflected XSS.

6. Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the “Make a wish” website?

To make an alert appear on the website, we could use a javascript alert function:

<script> alert(‘xss’)</script>

This code could be injected in the ‘New Wish’ field or in the URL query as on question 3.

Reference: TryHackMe




Undergraduate Informatics Student and Technology Enthusiast.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Tachyon Protocol Weekly Report #63

What is email encryption and why is it important [video]?

{UPDATE} Trivia Brasil Hack Free Resources Generator

And now for something completely different…

Microsoft Teams vs Zoom for Meetings — Heads up, in Canada and particularly BC, this shit matters

Automation of Cyberattack Countermeasures Using AI and Machine Learning

Securing Third Party Cookies

Cybersecurity Challenges in Coronavirus Days

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Fadila Ahmad S

Fadila Ahmad S

Undergraduate Informatics Student and Technology Enthusiast.

More from Medium

[EN] TryHackMe 25 Days of Cyber Security: Day 5 Walkthrough

TryHackMe: John The Ripper — Walkthrough

TryHackMe: Blue Writeup

HTB — Bashed Writeup