1. Web Security Academy
  2. Cross-site scripting
  3. Exploiting
  4. Lab

Lab: Exploiting cross-site scripting to capture passwords


This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to steal the username and password of someone who views the blog post comments. Then use the credentials to log in as the victim.


The online lab simulates another user who views blog comments after they are posted. You should exfiltrate this user's username and password via the public Burp Collaborator server (burpcollaborator.net).

Instead of using Burp Collaborator, you could adapt the attack to make the victim post their credentials within a blog comment by exploiting the XSS to perform CSRF, although this would mean that the username and password are exposed publicly, and also discloses evidence that the attack was performed.