Try Hack Me: OWASP Top 10 Room Day 7 of 10
This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:
Day 1: Injection
Day 2: Broken Authentication
Day 3: Sensitive Data Exposure
Day 4: XML External Entity
Day 5: Broken Access Control
Day 6: Security Misconfiguration
Day 7: Cross-site Scripting
Day 8: Insecure Deserialization
Day 9: Components with Known Vulnerabilities
Day 10: Insufficient Logging & Monitoring
Today’s challenge is Day 7: Cross-site Scripting. I blurred the answers so you will have to do the steps yourself to reveal them.
Below are the challenge questions: (I was assigned an IP of 10.10.154.171. Check your assigned IP address, yours will be different from mine).
- First, we have to register to get in to the XSS Playground to get the answers for the today’s challenge questions.
- Go to http://10.10.154.171/reflected and craft a reflected XSS payload that will cause a popup saying “Hello”.
- The instruction on challenge number 1 says to craft a payload that will cause a popup saying “Hello”, but it doesn’t mean that you will see a popup of “Hello”. The popup is the answer you need to enter on the XSS tasks.
2. On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine’s IP address.
3. Now, navigate to the Stored XSS page. Then add a commnet and see if you can insert some of your own HTML
4. On the same page, create an alert popup box appear on the page with your document cookies
5. Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript
I am not getting paid by Try Hack Me to say this, but go and sign up for a free account on https://tryhackme.com
