Solving Portswigger Academy: Reflected XSS into a JavaScript string with angle brackets HTML encoded
This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the
alertfunction.
Upon visiting the lab, we see a search box. I searched for a random string ‘abcd12345’ which I found on couple of places when view page source.
Let’s try payload which close the script tag and then XSS payload.
</script><img src=x onerror=alert(1)>
But when I looked into the page source I saw the angular brackets are encoded, which blocks XSS.
We need to look for the payload without angular brackets.Let’s use ‘ -alert(1)-. No result.
We need opening single quote to balance the closing one. Let’s try same payload with some modification. And this time it works.
