Solving Portswigger Academy: Exploiting cross-site scripting to capture passwords
This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim’s username and password then use these credentials to log in to the victim’s account.
As soon as we login, we saw a blogging site where customer leave their comments. So as usual will first test XSS in comment section using <img src=x onerror=prompt()> and I received a prompt.
Now we need a code that will send a required data to us or server controlled by us.
Now use this username and password to login into the application.
