Tech Click

← all labs

Stored XSS — Comment Board

Medium Injection · A03:2021 25 min

Flag submissions require login via tc_sso. Reading instructions does not.

Stored XSS — Comment Board

Scenario

A blog has a comment box. The site stores comments in browser localStorage (the lab equivalent of a server DB) and renders each comment via innerHTML. There is no sanitization.

The page also has window.__FLAG set but never displays it. Your job: post a comment whose payload reads window.__FLAG and displays it.

Objective

Get the flag value (TC{stored_xss_…}) onto the screen — either via alert(), by writing it into a DOM node, or by reading it from devtools after your payload runs.

Why this is "stored" vs "reflected"

  • Reflected: payload comes back from a query string just once (?q=…).
  • Stored: payload persists in the backend (DB / localStorage / file) and fires for every viewer, including future ones.

A real stored XSS in a corporate Confluence or Jira can compromise every employee who loads the affected page.

Tips

  • <script> tags inserted via innerHTML will NOT execute.
  • Event handlers on freshly-parsed elements WILL execute.
  • Try the classic <img src=x onerror="..."> vector.

Hints

Hint 1 (−10 pts)

Post a comment containing an HTML tag that triggers JS on an error/load event. Classic vector: <img src=x onerror=...>.

Hint 2 (−10 pts)

Inside the onerror handler, read window.__FLAG and pop it: <img src=x onerror=alert(window.__FLAG)>

Hint 3 (−10 pts)

Full flag: TC{stored_xss_innerHTML_persists_globally}

Lab environment · sandboxed iframe · auto-resets every 60 min