In this post, we’re going to be solving the lab: “Stored XSS into anchor href attribute with double quotes HTML-encoded”.

Stored XSS into anchor href attribute lab start screen

In this case, to solve the lab we need to write a comment that calls the alert function when clicking on the comment author’s name.

First of all, let’s access the lab:

Lab main page showing blog articles

Once we access it, we can see that there are different articles, we go into the first one (we could go into any of them):

List of available blog articles

Complete view of the first blog article

Once inside, we can observe that there’s a comments section:

Comments section at the end of the article

So we’re going to write any comment:

Comment form with fields to complete

Test comment submitted successfully

Published comment showing author name as hyperlink

When we submit a comment, it’s written and stored on the website. We can observe that in the comment we posted there’s a hyperlink. If we look at its source code, we can observe that the href attribute corresponds to the Website field from when writing a comment:

HTML source code showing href attribute with value from Website field

So knowing this, we can write in the Website field a payload that executes an alert when clicking on the author’s name:

XSS payload injected in the Website field of the form

We submit the comment and:

Lab solved successfully message

We complete the lab! If we go back to the comments section and observe the source code, we can see how our payload has been placed:

Source code showing XSS payload injected in href attribute

And if we click on test:

Successful alert execution when clicking on the author's name

It executes!

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page