Stored XSS into anchor href attribute with double quotes HTML encoded

Description

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

Approach

After accessing the lab, I went straight to the comment section. After filling in all the fields and sending the comment, I ensured that my FoxyProxy extension was enabled so I could proxy all the requests through Burp Suite:

POST /post/comment HTTP/1.1
Host: 0a7b00ae033c914d81d88e6c00bb00e6.web-security-academy.net
Cookie: session=i9W9X114JJg3ojA2FicetxrshRuKxOKR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

csrf=jvb0368I4tN90GrygrN7DFZNUFswFktP&postId=5&comment=this+is+a+malicious+comment&name=ichyaboy&email=qwe%40qwe.com&website=http%3A%2F%2Fmalicious.boy

After sending this request and checking the response in Burp Suite, I observed that my URL data was stored and reflected in the href attribute of the a tag:

<a id="author" href="http://malicious.boy">ichyaboy</a>

So, all I had to do was inject the JavaScript pseudo-protocol inside the href attribute to achieve script execution. This was my payload:

javascript:alert(1)

After injecting that into the website input and posting the comment, I could see that when I went back to the blog post and clicked on my comment's username, the alert was triggered, and an alert box popped up. This confirmed that the XSS attack was successful and the lab was solved.

PreviousStored XSS into HTML context with nothing encoded NextStored XSS into onclick event with angle brackets and double quotes HTML encoded and single quotes and backslash escaped