In this post, we’re going to be solving the lab: “Reflected XSS into attribute with angle brackets HTML-encoded”.

Reflected XSS into attribute lab start screen

In this case, to solve the challenge we need to inject an attribute that executes an alert.

First of all, let’s access the lab:

Lab main page with search bar

Once we access it, we find ourselves before a search bar, so we’re going to use it by searching for a random word:

Search form with test term

Search results showing parameter in URL

When we search, if we pay attention, several things happen here:

  1. In this case, there are no results, but that’s the least of it.
  2. The search parameter is added to the URL.
  3. What we search for ends up being the value of the value attribute in the input element.

Taking into account the last two points, we can create a payload that creates a new attribute inside the input element so that an alert is executed. In this case, the payload is:

  • "onmousemove="alert(1)

XSS payload injected in the search parameter

This way, by searching for the payload we specified above, we solve the lab:

Results page without visible alert execution

It seems that nothing has happened in terms of executing the alert, however, if we move the mouse over the word:

Successful alert execution when moving mouse over the field

It executes. This way we successfully solve the lab:

Final confirmation of lab success

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page