Reflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped
Description
This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets and double are HTML encoded and single quotes are escaped.
To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.
Approach
After accessing the lab, I intercepted the /search request and sent it to Burp Suite Repeater:
I noticed that my input was being escaped using a backslash \:
When I sent:
GET/?search='ichyaboy
I got:
<script> var searchTerms ='\'ichyaboy'; document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');</script>
To escape this backslash, I needed to add an additional \. Therefore, the payload would look like this:
Then I got:
Building the final payload:
Let's break down this payload:
\ : This backslash is used to escape the backslash that the application uses to escape my single quote. By adding this backslash, I neutralize the escaping backslash and allow the single quote to close the searchTerms string.
'; : This closes the searchTerms string in the script tag, allowing me to inject new JavaScript code.
alert(1); : This is the injected JavaScript code that will execute an alert box with the message "1".
// : This comments out the remainder of the JavaScript code to prevent any syntax errors from the original script.
By sending this payload, I successfully triggered an alert box, confirming the XSS vulnerability and solving the lab.