Solving Portswigger Academy: Reflected XSS in a JavaScript URL with some characters blocked

This lab reflects your input in a JavaScript URL, but all is not as it seems. This initially seems like a trivial challenge; however, the application is blocking some characters in an attempt to prevent XSS attacks.

To solve the lab, perform a cross-site scripting attack that calls the alert function with the string 1337 contained somewhere in the alert message.

When we visit the lab, we saw a blog post site where we can leave our comments.

Comments and how it is embedded in html page

I tried various payloads but I am not successful.I looked at page source again and saw a link which says Back to Blog.

This sends a POST request to /analytics with parameter post?postid=<number>. Let’s see if we can add in post ID. I used number which says Not Found.

Let’s inject some JS. This time it says invalid blog post ID.

I used ‘ and HTML encode it and this time I received the page.

Then used alert but it is not executing.

The application is removing the ‘()’ characters.

Let’s use below payload

&%27},x=x=>{throw/**/onerror=alert,1337},toString=x,window%2b%27%27,{x:%27

Which solves the lab.To get alert click on Back to blog.