Burp Suite User Forum

Login to post

xss task academy

boringowl | Last updated: Sep 13, 2020 07:01PM UTC

hello, portswigger team. sorry for my bad english. I started ur academy and understand what is it "exploi server" in XSS task. Where i can write about this?

Ben, PortSwigger Agent | Last updated: Sep 14, 2020 07:19AM UTC

Hi, Once you have launched a lab there is normally a link in orange, just below the name of the lab, that you can click to access the exploit server. Please note that only certain labs require the use of the exploit server so it is not available in every lab.

boringowl | Last updated: Sep 14, 2020 06:27PM UTC

sorry, my bad. i seem i dont understand why exploit server is need. why i cant put my payload into search bar directly?

Ben, PortSwigger Agent | Last updated: Sep 15, 2020 08:05AM UTC

Hi, Some of the labs, depending on the type of vulnerability, require an external server in order to host and deliver exploits to the victim user - we provide the exploit server as an easy way to do this (the alternative would be for users to create their own server, which could be problematic). Are you doing a particular lab?

boringowl | Last updated: Sep 15, 2020 10:31AM UTC

For exapmle Lab 2 XSS: Reflected XSS into HTML context with most tags and attributes blocked We must use payload: <iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Why i cant use this payload into url-machine? If i will use its payload, system write me "none tags", but i can use server-exploit payload working

Ben, PortSwigger Agent | Last updated: Sep 16, 2020 11:10AM UTC

The idea behind that lab is to trick the victim into visiting your exploit server and then carrying out an action that triggers the alert. Entering a payload that triggers the alert by yourself is intentionally designed not to solve the lab.

You need to Log in to post a reply. Or register here, for free.