# Be careful with what you wish on a Christmas night ## Video {% embed url="" %} ## Resources [OWASP/CheatSheetSeries](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md) Check out this awesome guide about XSS: [swisskyrepo/PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection)\ Common payload list for you to try out: [payloadbox/xss-payload-list](https://github.com/payloadbox/xss-payload-list)\ For more OWASP Zap guides, check out the following room: [Learn OWASP Zap](https://tryhackme.com/room/learnowaspzap) ## Challenge ### Deploy your AttackBox ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMr_iwTLxosBGQaIZA%2F-MOMrtDh-haLztiJQpAr%2Fimage.png?alt=media\&token=3b39048c-ed46-4de0-8e89-c29bbea818ae) {% hint style="success" %} No answer needed {% endhint %} ### What vulnerability type was used to exploit the application? ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMr_iwTLxosBGQaIZA%2F-MOMsiOZyabiaUwjoL9f%2Fimage.png?alt=media\&token=ee4ffb04-4ce2-45dd-8c44-6ba46b59f2cf) ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMr_iwTLxosBGQaIZA%2F-MOMsojI8sPWe4ytjoBi%2Fimage.png?alt=media\&token=04f0f9fb-0a51-4cec-a119-afa58fc70186) {% hint style="success" %} Stored cross-site scripting {% endhint %} ### What query string can be abused to craft a reflected XSS? ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMr_iwTLxosBGQaIZA%2F-MOMtJt0fP48M-H4nDim%2Fimage.png?alt=media\&token=67b33293-8640-463f-a02c-d68f99074303) {% hint style="success" %} q {% endhint %} ### Launch the OWASP ZAP Application ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMr_iwTLxosBGQaIZA%2F-MOMtvmf_dLwKBPIW3sh%2Fimage.png?alt=media\&token=89556447-2c47-4d61-9392-948db8a325bd) {% hint style="success" %} No answer needed {% endhint %} ### Run a ZAP (zaproxy) automated scan on the target. How many XSS alerts are in the scan? ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMr_iwTLxosBGQaIZA%2F-MOMuIBnuUQG6KAi0XZn%2Fimage.png?alt=media\&token=83d611fb-d19b-4eef-9b4f-620439452fac) {% hint style="success" %} 2 {% endhint %} ### Explore the XSS alerts that ZAP has identified, are you able to make an alert appear on the "Make a wish" website? ![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOMuLnixPM5x3FnQ4Uj%2F-MOMuoT-Kcf9Cw5AVrW4%2Fimage.png?alt=media\&token=ad508abf-c9a1-42a1-8e92-ac7918d865f2) {% hint style="success" %} No answer needed {% endhint %}