July 14, 2026
NahamStore CTF (XSS)
Hi hackers this a part 2 from CTF NahamStore

By ZODiAK
3 min read
after change i got a new parameter
and i will test this parameter to find XSS
1 : Enter an URL ( including parameters ) of an endpoint that is vulnerable to XSS?
case 2 : Add item to your basket and open burpsuite before payment
I catch the request , Now i test the XSS in User-Agent
good i have a second XSS in User-Agent
2: What HTTP header can be used to create a Stored XXS?
Answer: User-Agent
case 3:
click ctrl+u to show page source code
3- What HTML tag needs to be escaped on the product page to get the XSS to work?
Answer: title
case 4:
now i show the source page and search on my input (tester)
4- What JavaScript variable needs to be escaped to get the XSS to work?
Answer: search
case 5:
after test search input i found a hidden parameter in source code and in url , so i will test that parameter.
5-What hidden parameter can be found on the shop home page that introduces an XSS vulnerability?
Answer : q
case 6:
6- What HTML tag needs to be escaped on the returns page to get the XSS to work?
Answer : textarea
case 7 :
7- What is the value of the H1 tag of the page that uses the requested URL to create an XSS ?
Answer : Page Not Found
case 8:
I open burpsuite to get this request before send to server
i found a hidden parameter in request he is discount and he is save my value
so i will try inject this parameter but before this must be type this parameter in url because success injection
very nice i success to found hidden parameter and inject it
Explanation the paylod :
" -> to close the backe tag
onmouseover -> this js tag his run after move my mouse to the injured place
// -> to make any thing after this code a comment
Follow me on MyPortfolio
Follow me on MyYoutube
continued …