Image of AttackDefense 2018

Mission

A version of ApPHP MicroBlog is vulnerable to stored cross site scripting attack. Your task is to find and exploit this vulnerability. Authenticated access is not required to exploit this vulnerability.

Level difficulty: Easy

Category: Real World Webapps > Stored XSS

Solution

On this challenge, I was again provided with the same version of ApPHP MicroBlog as on the RCE exercise found here.

Image of AttackDefense 2018

Therefore, I tried the same password and username (admin && password) as in the RCE challenge on the admin login form.

Image of AttackDefense 2018

Image of AttackDefense 2018

By going to an already posted article, we can observe the presence of a comment module within our blog. In that comment module, I used the following examples of XSS payloads.

Image of AttackDefense 2018

With a simple refresh I have obtained the following result:

Image of AttackDefense 2018

Image of AttackDefense 2018