Cross-Site Scripting(XSS) - Session Hijacking

Hello everyone, is there anyone that can help me with this module. I have found the vulnerable field, created the php payload and the script.js but when I send the payload to grab the index.php it doesn’t work. I am sure I am missing something here but not sure what but any help would be appreciated.

Don’t know if you found it yet? But there is a some examples from [PayloadsAllTheThings] could try some of them ;o). Tbh I got the flag/session just testing connectivity (simple script connect to my IP) to my server from the fields so might not be that advanced however - good to learn the stuff.

if still not working try just to access you php web server from the browser to see if all good (I used http://myip:8080.

(provided you started it with “sudo php -S”)

then when working try the simple script just accessing your php web server (might need tweeking of the code as per start of this blog.

Happy hunting

Anyone able to pull this one off using w/ --crawl and --blind options? Just curious.

1 Like