This module practices identifying and exploiting XSS vulnerabilities. Read the task instructions and use the skills you learned in previous modules to solve the task.

Force the system administrator to change their password and log in as an administrator!

In this task, we take advantage of the XSS vulnerability and hijack the administrator's session. The application differs from others in that it protects cookies with the HttpOnly directive, meaning that cookies cannot be manipulated from JavaScript code!

XSS-HTTPONLY-1

Find the XSS vulnerability in the application and solve the task in the required manner. The email address of the admin user is admin@ha-target.com.

*This module practices identifying and exploiting XSS vulnerabilities. Read the task instructions and use the skills you learned in previous modules to solve the task.*

@exercise e271f14361e5

Find the XSS vulnerability in the application and solve the task in the required manner. The email address of the admin user is admin@ha-target.com.


XSS vs HttpOnly

Learn how to find and exploit a vulnerability that is one of the most common vulnerabilities, easy to find, and yet very dangerous. Hackerone ranked XSS the #1 bug bounty vulnerability of 2021.

XSS (Cross-Site Scripting) vulnerabilities are both common and serious. For example, HackerOne has listed XSS as the number one vulnerability on their top 10 vulnerabilities list.

Vulnerability management is therefore extremely important, whether you are a penetration tester, a security consultant, a developer, or a bounty hunter!

Fundamentals

What are Cross-Site Scripting Vulnerabilities?

Intro

Stored XSS and stealing session cookies

XSS vs HttpOnly

Learn to hack — start here