Lab: Stored DOM XSS

tags: `Portswigger Web Security Academy` `Web`

Description: This lab demonstrates a stored DOM vulnerability in the blog comment functionality.
Goal: To solve this lab, exploit this vulnerability to call the alert() function.

Recon

Find the injected place According to the description, we know that the comment place of each post has some problems. So, we can try to inject something.
Try to inject Comment Payload: <script>alert(123)</script> Seems weird, and when you browse the page source, you’ll find out that it calls external js files to import the comment, i.e.:
What is loadCommentsWithVulnerableEscapeHtml.js The main purpose of this file is to load the comment into the page and filter some sensitive characters. :::spoiler A part of source code
```
 ...
 function escapeHTML(html) {return html.replace('<', '&lt;').replace('>', '&gt;');}
 ...
```
::: However… :::danger According to JavaScript Document :::
Try to inject more <> char Comment Payload: <><script>alert(123)</script>

Seems it can be injected but can not be rendered properly because the comments are loaded from external space. So, we could change our payload to img tag.

Exp

New Comment Payload: <><img src="a" onerror="alert(123)">

:::spoiler Success Screenshot :::

Lab: Stored DOM XSS

tags: Portswigger Web Security Academy Web

Recon

Exp

Reference

tags: `Portswigger Web Security Academy` `Web`