In this post, we are going to solve the PortSwigger lab: “Stored XSS into HTML context with nothing encoded”.

Lab homepage for Stored XSS into HTML context

To solve the lab, we need to execute the alert function in a post comment.

When we open the lab, the first thing we need to do is navigate to any post:

Blog view with list of available posts

Inside the post, we find the following:

Comment form with fields to fill out

As we can see, we have the option to leave a comment and different fields to fill out.

So we are simply going to do as instructed and fill out all the fields, but in the comment field, we will place a small piece of JavaScript code that executes an alert:

Form completed with XSS payload in the comment field

With all the fields filled out, we simply submit the comment and we will have solved the lab:

Lab solved successfully

To see what happened, let’s go back to the post where we wrote our comment:

JavaScript alert executing in the browser

Post showing the comment with injected XSS code

And as we can see, when entering the post, the code we had written in the comment field is executed. We have just exploited a Stored XSS.

Lab completion confirmation

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page