See the comments below.

Add a comment with a JavaScript payload. Again …​ you want to call the webgoat.customjs.phoneHome function.

As an attacker (offensive security), keep in mind that most apps will not have such a straightforwardly named compromise. Also, you may have to find a way to load your JavaScript dynamically to achieve the goal of extracting data fully.

Solution

• Following the instructions we need to add a comment with a JavaScript payload, calling the webgoat.customjs.phoneHome.

• Let's go ahead and type the following script on comments:

<script>webgoat.customjs.phoneHome()</script>

• Your comment should be posted like this:

• Open the developer tools and go to console. You should see a message like this:

phone home said {"lessonCompleted":true,"feedback":"Congratulations. You have successfully completed the assignment.","output":"phoneHome Response is -2007049551","assignment":"DOMCrossSiteScripting","attemptWasMade":true}

Notice that in the WebGoat page it clears that "that each subsequent call to the phoneHome method will change that value. You may need to ensure you have the most recent one.".

• Once you have your value submit it in the answer box:

Troubleshooting

• If you get an error "Failed to load resource: the server responded with a status of 404 (Not Found)", there might be a typing mistake in the script submitted on comnents.

• Do not forget any symbol or Upper Case, according to the path provided in the exercise.