capture the flag, hacking, owasp

@RealTryHackMe #AdventOfCyber Series: Challenge 5 – Pesky Elf Forum

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our fifth challenge, we’re presented with a scenario where the elves express their joy in a forum. Unfortunately for the elves, the Grinch has created an admin an account on the forum and has installed a bad plugin that changes Christmas to Buttmas *GASP*. We can’t have that for the kids and Santa!

The topic explored in this challenge was Cross-Site Scripting (XSS). We learned there are four flavors – Document Object Model (DOM), Reflected, Stored, and Blind, and why XSS is important. XSS in a nutshell is an injection attack where the input is not being validated or sanitized. Meaning the application allows ANY input from the user. This can be *hint, hint* HTML, JavaScript, etc. Of all the different flavors of XSS the most dangerous/catastrophic is Stored XSS. As the name implies it stores the payload into for instance a database. Meaning anyone that visit the website or invokes the particular database will be susceptible to that attack. We will use Stored XSS in this challenge.

Can we use the information we learned about XSS to remove the bad plugin in the forum?

Well… click the below video to find out!

If you enjoy my content, buy me a coffee. Link –>