The goal of this lab is to exploit a stored cross-site scripting vulnerability in the blog comments by calling an alert function when the blog post is viewed.
First, let’s check how the website responds to the posted comment. Rather than just type in a regular comment, I decided to add some code to see if it will be executed.
It did and it shows that webapp might in fact be vulnerable.
Now, let’s construct a basic payload that will display the message at the post.
The alert function worked and a message is displayed.
Vulnerability is exploited and a lab is solved.