# Lab: Stored DOM XSS ###### tags: `Portswigger Web Security Academy` `Web` * Description: This lab demonstrates a stored DOM vulnerability in the blog comment functionality. * Goal: To solve this lab, exploit this vulnerability to call the `alert()` function. ## Recon 1. Find the injected place According to the description, we know that the comment place of each post has some problems. So, we can try to inject something. 2. Try to inject Comment Payload: `<script>alert(123)</script>`  Seems weird, and when you browse the page source, you'll find out that it calls external `js` files to import the comment, i.e.:   3. What is `loadCommentsWithVulnerableEscapeHtml.js` The main purpose of this file is to load the comment into the page and filter some sensitive characters. :::spoiler A part of source code ```javascript! ... function escapeHTML(html) {return html.replace('<', '&lt;').replace('>', '&gt;');} ... ``` ::: However... :::danger According to [JavaScript Document](https://developer.mozilla.org/zh-TW/docs/Web/JavaScript/Reference/Global_Objects/String/replace)  ::: 4. Try to inject more `<>` char Comment Payload: `<><script>alert(123)</script>`   Seems it can be injected but can not be rendered properly because the comments are loaded from external space. So, we could change our payload to `img` tag. ## Exp New Comment Payload: `<><img src="a" onerror="alert(123)">`  :::spoiler Success Screenshot  ::: ## Reference