Reflected XSS into a JavaScript string with angle brackets HTML encoded

Description

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Approach

After accessing the lab, I intercepted the search request:

GET /?search=ichyaboy HTTP/2
Host: 0a58009f03f4d4818b8581c200060086.web-security-academy.net
Cookie: session=CBeYaaChWpXhNJOMgtLNWUsnn3HBPkVj
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

In the response, I noticed my input was embedded within a script tag:

<script>
	var searchTerms = 'ichyaboy';
	document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

To exploit this, I crafted a payload to break out of the JavaScript context, inject my malicious script, and comment out the rest to prevent errors. Here’s the payload:

';alert(1)//

This payload works as follows:

• '; closes the existing string.

• alert(1) injects a script that triggers an alert.

• // comments out the remainder of the JavaScript code to avoid syntax errors.

After injecting this payload, an alert box popped up, confirming the XSS vulnerability and solving the lab.