We kicked off the day with our usual news segment. My group presented on the recent 4chan leaked credentials incident. As of now, the 4chan site is down most likely because their source code was leaked, including credentials for moderators.
I was still feeling the exhaustion from the week, but next up was our SIEM assessment and I was ready for it. It actually went pretty well for me. Some classmates are still getting used to the tricky wording of these types of questions. Sometimes there are multiple answers that seem correct, but one is just slightly more correct than the others. That’s classic CompTIA exam style.
Then, we shifted focus to Cross-site Scripting (XSS). I learned about a few types, especially:
- Stored XSS, where the malicious script is permanently stored on the server (like in a database or forum post), and executes whenever someone loads the affected page.
- DOM-based XSS, which happens entirely on the client side. It manipulates the DOM in the browser without new pages being loaded so the vulnerability exists in the browser, not the server.
The lab wasn’t too hard in terms of execution, but understanding the code behind the vulnerability was a bit of a challenge. For example, we used this payload:"><script>alert('THM');</script>
The key part is the " > at the beginning. It closes the value attribute of an HTML input field, and then the </script> ends the injected script. In simpler terms: you’re tricking the browser into thinking your malicious code is part of the original website code.
In the afternoon, I did some revision since I had already completed the lab earlier. I’m trying hard to keep all the concepts fresh—like DAC, MAC, and RBAC
These are all key topics in the CompTIA Security+ exam, which I plan to take right after the bootcamp ends.
Later on, we got into a whole new topic – File Inclusion vulnerabilities. It was my first time learning about this, and we covered:
- Path Traversal – where an attacker navigates the file system using something like
../../to access restricted files. - Local File Inclusion (LFI) – the attacker tricks the web server into loading a local file (already on the server).
- Remote File Inclusion (RFI) – the attacker includes a file from a remote location (e.g., from their own malicious server).
These concepts were more advanced, and the final few exercises were definitely the hardest of the day. We had to use Burp Suite, which thankfully I had already used in a previous lab I did last week. After spending a good chunk of time stuck, I turned to some trusty online research (shoutout to my favorite AI chatbot), and I eventually finished the lab.
Now I’m really starting to feel the intensity of the bootcamp. It’s only going to get tougher from here, so I need to stay focused and ready. But honestly, I’m excited. We’re finally diving into the offensive side!
