XSS — Merry XSSMas: Day 11 Advent of Cyber 2025 TryHackMe

Learn about types of XSS vulnerabilities and how to prevent them. Day 11 Advent of Cyber 2025

Bridget

~3 min read · December 22, 2025 (Updated: December 22, 2025) · Free: Yes

XSS - Merry XSSMas

Learn about types of XSS vulnerabilities and how to prevent them.

tryhackme.com

Task 1: Introduction

This challenge focuses on understanding and exploiting Cross-Site Scripting (XSS) vulnerabilities, a common web application flaw that allows attackers to inject malicious code (usually JavaScript) into a website.

Learning Objectives

Understand how XSS works
Learn to prevent XSS attacks

Connecting to the Machine

Start Attackbox or use your own VM connected to THM VPN then start the machine.

Answer the questions below

I have successfully started the AttackBox and target machine!

No answer needed

Task 2: Leave the Cookies, Take the Payload

For today's room we will be using the web app found under http://MACHINE_IP.

We will explore two primary types: Reflected XSS and Stored XSS.

1. Reflected XSS

The malicious script is immediately projected (reflected) back in the application's response, often via a URL parameter.

2. Stored XSS (Persistent)

The malicious script is permanently saved on the server's backend (e.g., in a database) and served to every user who views the affected page.

Exploiting the Web Application

The target web application, found at http://MACHINE_IP, is vulnerable. We will first test if XSS vulnerability is present using the payload: <script>alert('Test Payload')</script>

1. Exploiting Reflected XSS (Search)

In the search bar, we can test Reflected XSS, as search terms are often immediately reflected in the results.

Navigate to the web app.
Inject: Add the test payload to the search bar and click "Search Messages".

<script>alert('Reflected Meow Meow')</script>

Validation: If an alert box appears, Reflected XSS is confirmed.

2. Exploiting stored XSS

For Stored XSS, we can test it in the comment section. We will submit our payload and it will be saved on the server (persisted) for later viewing.

Navigate to the message form section.
Inject: Enter the test payload into the message body field and click "Send Message".

<script>alert('Stored Meow Meow')</script>

Validation: If you reload the page or navigate back to the main page and the alert box appears, Stored XSS is confirmed.

Answer the Questions

After exploiting the web application, it's time to answer the questions

Which type of XSS attack requires payloads to be persisted on the backend? Stored XSS
What's the reflected XSS flag? The output from Reflected XSS exploitation

3.What's the stored XSS flag? The output from Stored XSS exploitation

#xss-vulnerability #advent-of-cyber-2025 #tryhackme #reflected-xss #stored-xss