Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

It’s Day 24 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let’s Start:

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

Lab: This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

This is what the lab looks like, and we can see that there are no input fields here. However, we have an option to view the post.

We have an input field to leave a comment. Let’s fill it out with normal details and observe how it responds.

Comments have been submitted

The comment has been posted, and we can see a hyperlink in it. Let’s click on ‘RayofHope’ and see where it redirects.

It redirected to nobody.com. Let’s look at the code to analyze why this happened.

The application is automatically wrapping the username or comment ("RayofHope") in an <a> tag, and assigning it a default href of https://nobody.com, likely as a placeholder or default profile link for anonymous users or non-registered commenters.

Let’s try injecting javascript:alert(1)

The script has been submitted and the lab is now solved. Let’s go back to the blog to check if any popup appears.

As expected, clicking on the comment successfully triggered the XSS payload, resulting in a pop-up. Let’s now analyze the code to understand why it was executed.

In this case, the href attribute of the anchor tag is set to a javascript: URI scheme. When the user clicks on the link labeled 'ray', the browser interprets and executes the embedded JavaScript (alert(1)), confirming an XSS vulnerability.