Reflected XSS into attribute with angle brackets HTML-encoded | Dec 29, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Reflected XSS into attribute with angle brackets HTML-encoded! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

Exploitation

Home page:

In here, we can see there is a search box.

Let’s search something:

As you can see, our input is reflected to the web page.

Let’s try to inject an XSS payload:

<script>alert(document.domain)</script>

View souce page:

<section class=blog-header>
    <h1>0 search results for '&lt;script&gt;alert(document.domain)&lt;/script&gt;'</h1>
    <hr>
</section>

Hmm… The angle brackets were HTML encoded!

To bypass that, we can use event handler:

" autofocus onfocus=alert(document.domain) closeme="

The above payload creates an onfocus event that will execute JavaScript when the element receives the focus, and also adds the autofocus attribute to try to trigger the onfocus event automatically without any user interaction. Finally, it adds x=" to gracefully repair the following markup.

We did it!

What we’ve learned:

1. Reflected XSS into attribute with angle brackets HTML-encoded