Access the room: https://tryhackme.com/room/xss-aoc2025-c5j8b1m4t6
.png)
After last year’s automation and tech modernisation, Santa’s workshop got a new makeover. McSkidy has a secure message portal where you can contact her directly with any questions or concerns. However, lately, the logs have been lighting up with unusual activity, ranging from odd messages to suspicious search terms. Even Santa’s letters appear to be scripts or random code. Your mission, should you choose to accept it: dig through the logs, uncover the mischief, and figure out who’s trying to mess with McSkidy.
Learning Objectives
- Understand how XSS works
- Learn to prevent XSS attacks
Step-by-Step Walkthrough
Initial Setup
Start the target machine and AttackBox as instructed
Access the web application at http://MACHINE_IP using the browser in the AttackBox
Familiarize yourself with the web app’s interface, including the search section and message form.
So, what exactly is XSS?
Cross-Site Scripting (XSS) is a critical web application vulnerability that enables attackers to inject malicious code, typically JavaScript, into input fields whose content is rendered to other users, such as forms or comment sections in blogs. When applications fail to properly validate or escape user input, the submitted data may be executed as code instead of being treated as harmless text.
This can lead to severe consequences, including the theft of credentials, website defacement, and user impersonation. XSS attacks are categorized into several types based on their execution method and impact. This discussion focuses specifically on Reflected XSS, where the injected code is immediately reflected back to the user via the application’s response, and Stored XSS, where the malicious payload is permanently stored on the target server and served to users over time.
Understanding Reflected XSS
Reflected XSS occurs when the injected script is immediately reflected in the response.
Search for a term like gift.
Craft a malicious payloadand add the payload to the search bar and click “Search Messages”: <script>alert('Reflected Meow Meow')</script>
If an alert box appears, the application is vulnerable to reflected XSS.
After finding the vulnerability, we discovered our first flag.
THM{Evil_Bunny}
The system log also identifies the XSS payload script.
Understanding Stored XSS
Stored XSS occurs when the malicious script is saved on the server and loaded for every user who views the affected page.
Use a message form to submit a comment.
Now we will craft a malicious payload and Submit the it as a message:
<script>alert('Stored Meow Meow')</script>
Now every time the page is reloaded, the alert box will display, indicating successful exploitation of stored XSS.
After confirming successful exploitation of stored XSS we finally found our 2nd Flag!!!
THM{Evil_Stored_Egg}
The system log has detected the XSS payload threat and flagged it.
Answers of the THM Lab
Which type of XSS attack requires payloads to be persisted on the backend?
Stored.What’s the reflected XSS flag?
THM{Evil_Bunny}.What’s the stored XSS flag?
THM{Evil_Stored_Egg}