webPromedium

Lab 21 — ShelfSpace — Stored XSS in Product Description Editor

hackadvisor

Task: E-commerce platform (ShelfSpace) with rich text editor for product descriptions, no HTML sanitization, and an admin QA bot that reviews products. Solution: Stored XSS via <img onerror> in product description loads external JS that fetches admin-only /admin/settings page and exfiltrates the flag via Image request URL paths.

$ ls tags/ techniques/

session_hijacking stored_xss bot_exploitation html_injection data_exfiltration ecommerce rich_text_editor

stored_xss_via_img_onerrorexternal_script_loadingadmin_page_fetch_exfiltrationbase64_chunked_exfiltration_via_image_srcbot_triggered_xss

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 75 — StayNest — Stored XSS in Hotel Booking Form— hackadvisor
[web][Pro]Lab 193 — ShopNova — Price Manipulation in Checkout API— hackadvisor
[web][Pro]Lab 33 — PulsePress — Reflected XSS in Search Page— hackadvisor
[web][Pro]Lab 42 — ProsePad — DOM Clobbering to Stored XSS— hackadvisor
[web][Pro]Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)— hackadvisor