Burp Suite User Forum

Login to post

academy site bug

Kazuo | Last updated: Oct 09, 2021 12:03AM UTC

Hello. I found a bug in the title below on the academy site. "Exploiting cross-site scripting to steal cookies" procedure: 1.Click "View post" in Festivals 2.Enter the following payload in "Comment" and click "Post Comment"  Payload:  <Script>alert(/script>  Request parameters:  csrf=cdHAe0C2GeyxhKsKsLpeufDxbBMtgH7e&postId=8&comment=%3Cscript%3Ealert%28%2Fscript%3E&name=namae&email=test%40mail.com&website=https%3A%2F%2Ftest.com 3."Leave a comment" is not displayed

Kazuo | Last updated: Oct 09, 2021 12:17AM UTC

correction Payload: <script>alert(/script>

Michelle, PortSwigger Agent | Last updated: Oct 11, 2021 02:58PM UTC

Thanks for your message. This is a side-effect of the script block not being closed, meaning the rest page doesn’t get displayed which would be expected. It won’t affect the other blog post pages so you can use those pages to continue working on the lab. We hope you're enjoying the labs!

You need to Log in to post a reply. Or register here, for free.