Advent of Cyber 2025 Day 11 Writeup: Cross-Site Scripting (XSS) | TryHackMe

Source: Dev.to

Understanding XSS

Usually a website or web app displays information from the server. However, users can also provide information via input fields. If a web server does not validate user input properly, malicious code can be injected instead of harmless text. This malicious code will then execute and can steal credentials, deface pages, or alter user information.

Stored XSS

A stored XSS attack occurs when the malicious code is saved on the server (e.g., in an HTML or JS file).
Example: domain.com/tonybennet contains the injected script. Anyone who later visits that page becomes a victim because the code runs for every visitor.

Reflected XSS

A reflected XSS attack is more direct.
Example link: facebook.com/profile/search?term=alert(1)
If the server reflects the term parameter without sanitisation, the browser will execute alert(1) (or any other malicious script) when the link is opened.

Protecting Against XSS

• Disable dangerous rendering paths: Prefer textContent over innerHTML to treat input as plain text rather than HTML.
• Make cookies inaccessible to JavaScript: Set session cookies with the HttpOnly, Secure, and SameSite attributes.
• Sanitise input/output and encode: When limited HTML is allowed (e.g., safe links or basic formatting), sanitise and encode all user‑supplied data. This removes or escapes elements that could be interpreted as executable code, such as <script> tags, event handlers, or javascript: URLs, while preserving safe formatting.

Walkthrough – Advent of Cyber 2025 Day 11 (XSS)

1. Start the target machine

   • If you have OpenVPN enabled, type the target IP address in your browser.
   • Otherwise, launch the AttackBox machine provided by TryHackMe.

   

2. Identify the input boxes
   The page contains two input fields, each vulnerable to a different type of XSS.

3. Reflected XSS test
   Enter the following payload into the first input box:

   alert('Reflected Meow Meow')

   Submitting the form triggers an alert box, confirming the vulnerability.

   

4. Capture the flags

   • The room is straightforward: each input box, when supplied with the appropriate XSS payload, reveals a flag.
   • Copy and paste the provided payloads into the respective fields to obtain the flags.

Conclusion

This room demonstrates classic reflected and stored XSS attacks and highlights essential mitigation techniques such as proper output encoding, safe DOM manipulation, and secure cookie attributes. Practising these concepts helps reinforce secure coding practices and improves awareness of common web vulnerabilities.