Try Hack Me: OWASP Top 10 Room Day 7 of 10

This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:

Day 1: Injection

Day 2: Broken Authentication

Day 3: Sensitive Data Exposure

Day 4: XML External Entity

Day 5: Broken Access Control

Day 6: Security Misconfiguration

Day 7: Cross-site Scripting

Day 8: Insecure Deserialization

Day 9: Components with Known Vulnerabilities

Day 10: Insufficient Logging & Monitoring

Today’s challenge is Day 7: Cross-site Scripting. I blurred the answers so you will have to do the steps yourself to reveal them.

Below are the challenge questions: (I was assigned an IP of 10.10.154.171. Check your assigned IP address, yours will be different from mine).

  • First, we have to register to get in to the XSS Playground to get the answers for the today’s challenge questions.
Registration page
  1. Go to http://10.10.154.171/reflected and craft a reflected XSS payload that will cause a popup saying “Hello”.
  • The instruction on challenge number 1 says to craft a payload that will cause a popup saying “Hello”, but it doesn’t mean that you will see a popup of “Hello”. The popup is the answer you need to enter on the XSS tasks.
Script to cause a popup alert of “Hello”
The answer for the number 2 question in [Task 21] [Day 7]

2. On the same reflective page, craft a reflected XSS payload that will cause a popup with your machine’s IP address.

We use hostname here because the name of our machine is its IP address
The answer for the number 3 question in [Task 21] [Day 7]

3. Now, navigate to the Stored XSS page. Then add a commnet and see if you can insert some of your own HTML

Simple HTML code
The answer for the number 4 question in [Task 21] [Day 7]

4. On the same page, create an alert popup box appear on the page with your document cookies

The answer for the number 5 question in [Task 21] [Day 7]

5. Change “XSS Playground” to “I am a hacker” by adding a comment and using Javascript

The answer for the number 6 question in [Task 21] [Day 7]
Completed all tasks in [Task 21][Day 7]

I am not getting paid by Try Hack Me to say this, but go and sign up for a free account on https://tryhackme.com

I have more hacking/pentesting walk-through and write-ups on my blog https://beginninghacking.net