Challenge 1: Stored cross-site scripting attack

  • Updated on 30th Jan 2025

Table of Contents

Welcome back to learning Cross-Site Scripting ( XSS) vulnerability with the Kurukshetra app built by d4rk36.

This post will start with what an XSS vulnerability is and then will try to analyze the XSS challenges on the vulnerable app.

Ensure your lab is up and running if you have not set up your lab yet. Refer back to the below article.

Practical Hands-On Way to Learn XSS with Kurukshetra - Vulnerable App by Design

What is Cross-Site Scripting?

Cross-site scripting is also referred to as "XSS."

Cross-site scripting is an application flaw that takes a malformed input from the client (i.e., Browser or Proxy) and the server without verifying appends, then sends the input as it is back in an HTTP response without proper validation.

If you are not familiar with what HTTP is, check out the following HTTP Basics Tutorial to help you get started.

The malformed input lets an attacker inject malicious code(like HTML or JavaScript ) into the server's HTTP response and can change the application's behavior.

XSS vulnerability can be used to deface the landing pages of websites, which is called defacement. Stealing user sessions and gaining access to user accounts. Secretly log and monitor the victim's keystrokes, Control the victim's web browser, retrieve user-saved passwords from the browser, Or even redirect victims to a malicious page, and much more.

Additionally, XSS, combined with other security vulnerabilities, makes the attack more severe.

In total, there are three types of XSS vulnerabilities, as detailed below.

Type of Cross-Site Scripting Vulnerabilities

Stored XSS - Walkthrough

After setting up the lab, Visit http://localhost:8066. The vulnerable Kurukshetra application should be loaded as shown below.

XSS Vulnerable Kurukshetra App - Challenge 1

Take some time to understand how the application functionality works before we start assessing.

Try adding a simple " HelloWorld" string, and check how the input is appended to the below comments.

Understanding how the application behaves with user input

From the above behavior, we can understand that the given input is stored and displayed back.

💡This is one of the signs where you can check if it can accept any malformed input as well. Let's go ahead and try out the classic XSS payload.

Classic XSS Snippet