This is a write-up for the TryHackMe room: Advent of Cyber 2 , Day 6. Let’s get started!
[Day 6] – Web Exploitation – Be careful with what you wish on a Christmas night
Deploy your machine and read through the information.
For the first question we need to find out what type the attacker used. If you read through the text, you should be able to answer this. If not, I recommend reading through the text again, and then about each type of vulnerability again.
Once completed, navigate to the site on port 5000
Test the normal functionality of the site. If you type in a wish, you can see that it shows up when you search for it. I think I see another place for a different type of XSS vulnerability in the URL. This help us answer our second question.
We can manually test this, however let’s use OWASP Zap to go through the site. Go to Automatic Scan and add the URL (with port 5000) and choose Attack.
Once the scan is complete, look at your Alerts tab to answer next question. All done! Well, let’s see if you can complete the final question. Can you make an alert appear on the website?
Review
Today we learned all about Cross-Site Scripting and why it is never good to not sanitize input data! Great job and we will see what tomorrow has in store for us!
BW - Blog 