⚠️ XSS Exploitation Challenge

MEDIUM

Find and exploit the XSS vulnerability

📋 Challenge Description

You've discovered a comment section that doesn't properly sanitize user input. The application is vulnerable to Cross-Site Scripting (XSS) attacks. Your task is to craft an XSS payload that triggers an alert containing the flag.


Objective: Inject JavaScript code to execute and reveal the hidden flag.

💬 Comment Board

Recent Comments:

Alice
Great website! Very secure.
Bob
I love the design!

📖 XSS Attack Information:

XSS Types: Stored XSS (persists in database), Reflected XSS (in URL), DOM-based XSS
This Challenge: Stored XSS - your comment is stored and displayed to all users
Vulnerability: User input is inserted directly into HTML without sanitization
Goal: Inject JavaScript that executes when the comment is displayed

💡 Exploitation Hints:

1. Basic XSS: Try injecting a simple script tag: <script>alert('XSS')</script>
2. Flag Location: The flag is stored in a global JavaScript variable called "secretFlag"
3. Access Variable: Use window.secretFlag or just secretFlag to access it
4. Complete Payload: <script>alert(secretFlag)</script>
5. Alternative: Try: <img src=x onerror="alert(secretFlag)">
6. Testing: After posting, the injected script should execute automatically
7. Ask a Chatbot: "How do I create an XSS payload to access a JavaScript variable?"
Flag Format: CTF{...}
'); function postComment() { const username = document.getElementById('username').value; const comment = document.getElementById('comment').value; const commentsList = document.getElementById('comments-list'); if (!username || !comment) { alert('Please fill in both fields!'); return; } // VULNERABLE: No input sanitization! // This directly inserts user input into HTML const newComment = document.createElement('div'); newComment.className = 'comment'; newComment.innerHTML = `
${username}
${comment}
`; commentsList.insertBefore(newComment, commentsList.firstChild); // Clear form document.getElementById('username').value = ''; document.getElementById('comment').value = ''; // Log the injection attempt console.log('Comment posted:', { username, comment }); if (comment.toLowerCase().includes('script') || comment.toLowerCase().includes('onerror')) { console.log('⚠️ XSS payload detected in comment!'); } } console.log('🚩 Flag: CTF{xss_3xpl01t4t10n_m4st3r}');