Challenge 5 — The Poisoned Parameter¶
Difficulty: 
Hard — Skills: Parameter extraction, URI parsing
Scenario¶
An attacker from IP 172.16.99.5 is injecting XSS payloads into your application. All the attacks use the same query parameter to deliver the malicious content — payloads like cookie stealing scripts, event handler injections, and encoded <script> tags.
Your mission: Identify the query parameter name being used as the injection vector.
Prerequisites¶
- Lab infrastructure deployed
- WAF logs flowing to Log Analytics
Generate Challenge Traffic¶
Script: challenge-traffic.ps1
Wait 10-15 minutes for logs to appear in Log Analytics before investigating.
Investigation¶
Filter by the attacker's IP, examine the request URIs, and extract the common parameter name.
Hint 1 — Filter by attacker IP
Use where clientIp_s == "172.16.99.5" and filter for XSS rule groups.
Hint 2 — Parse the query string
Use KQL string functions: split(requestUri_s, "?") to get the query string, then split(..., "=") to extract parameter names.
Hint 3 — KQL Query
AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where clientIp_s == "172.16.99.5"
| where ruleGroup_s contains "XSS"
| extend QueryString = tostring(split(requestUri_s, "?")[1])
| extend ParamName = tostring(split(QueryString, "=")[0])
| summarize Count = count() by ParamName
| order by Count desc
Submit Your Answer¶
What is the query parameter name used for XSS injection?
{% include "challenges/challenge-ui.html" %}