Stored XSS into HTML Context with Nothing Encoded
After landing the home page of the lab instance go to one of the blogposts. Enter a common XSS payload in the comment-box. Fill out the other boxes as you wish.
Stored XSS into Anchor href Attribute with Double Quotes HTML-encoded
From the above picture, you can observe that the input you have given in the website labeled field, is directly used in the href value without proper input sanitization. Thanks to that you can inject a paylaoad like the following
Reflected XSS into HTML context with nothing encoded
Write a basic alert script in the box, like the following and click the search button.
Reflected XSS into Attribute with Angle Brackets HTML-Encoded
Submit a random alphanumeric string in the search box. Go to the Burp's HTTP History and send that request to Burp Repeater.Observe that the random string has been reflected inside a quoted attribute.
Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded
After the landing page is loaded, go to searchbox in the website. Submit a random alphanumeric string in the search box. Go to the Burp's HTTP history and send the relevant request to the Burp Repeater.
Dom XSS In Jquery Selector Sink Using A Hashchange Event
In order to deliver a successfull XSS attack, you need to manipulate the scroll action into a field that you control. It is possible to that via creating iframe tags with the onload event handler.
Dom XSS In Jquery Anchor Href Attribute Sink Using Location.Search Source
Observe that in the searchbar there is a parameter that called returnPath, keep that in my mind. View the page source and realize jquerys $ selector and attr() function is used in order to receive returnPath parameter.
DOM XSS in innerHTML Sink Using Source location.search
Remember the information about the inner.HTML sink, according to that modern browsers are not allowing to use script tags and svg tags inside inner.HTML sink. However, it might be possible to use img tag in order to deliver a successfull XSS attack.
DOM XSS in document.write Sink Using Source location.search
Examine the above picture and observe that the query parameter is used in the document.write sink which causes a vulnerability.In this case, it is easy to spot this vulnerability but for some cases manual detection for DOM-Based XSS can be very hard to spot.