Detect the XSS Vulnerability

In this lab, you will analyze a basic website for a software license store. An attacker has left an active vulnerability that allows JavaScript code to execute in the browser. Your mission as an analyst is to find the vulnerable file, identify the flaw, and validate your finding.

In this lab you will learn:

• Detection of reflected XSS vulnerabilities
• Inspection of forms and GET parameters
• Logical reasoning as a cybersecurity analyst

🌱 How to start this lab

👉 This challenge uses the same virtual machine as the previous lab: Pwned! - Find the backdoor. If you already downloaded it, there's no need to do it again.

1. If you don't have it yet, download the virtual machine from this link:

1    https://storage.googleapis.com/cybersecurity-machines/web-threats-lab.ova

1. Import the virtual machine into VirtualBox or VMware.
2. Start the VM, log in as the user student:4geeks-lab, and open the website in your browser at:

1    http://<ip_machine>/softwarelicenser/

📄 Instructions

SoftwareLicenser is an online store that sells digital licenses. Unknowingly, a developer left an active vulnerability in one of the site's forms. Your task is to find the absolute path of the vulnerable file, identify the exact point of failure, and validate it using validation.py.

Your mission: find the file vulnerable to XSS

1. Investigate the website as if you were an external auditor or Blue Team analyst.
2. Locate any functionality that accepts user input and produces dynamic output.
3. Determine if the site is vulnerable to Cross-Site Scripting (XSS).
4. If you find the vulnerability, identify the responsible file on the server.
5. Run the validator and provide the absolute path of the vulnerable file.

1validate-xss

If correct, the challenge flag will be revealed:

1✅ Correct path!
2🎁 Flag: FLAG{EXAMPLE_FLAG}

Good luck, Analyst!