Open in app

Sign in

Write

Sign in

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Marduk I Am
4 min readJan 1, 2024

--

This is going to be the last in a series of nine, apprentice level, Cross-Site Scripting (XSS) labs from PortSwigger Web Security Academy. In this lab we are going to be revisiting Reflected XSS. Reflected XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Lab description: This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

It’s a pretty straightforward lab where we are going to need to use the search bar to inject our payload. However, as the lab title indicates, we will not be able to use angle brackets (<>)within the payload. The angle brackets are encoded this time.

Access the lab and enter an alpha-numeric string in the search bar, that you know will yield 0 results, and hit enter.

Screenshot of our blog search bar

Now let’s inspect what is going on with this search function. Right click where your search string is displayed on the results page. Select Inspect.

0 search results for M4rdukWasH3re

This is going to bring up your DOM-browser with your search string highlighted. In your DOM search bar, enter your search string again and hit enter. You should have three places where it shows up.

DOM-browser screenshot with red arrows pointing and our search string in 3 places
<!-- M4rdukWasH3re -->
<section class="blog-header">
    <h1>0 search results for 'M4rdukWasH3re'</h1>
    <hr>
</section>
<script>
    var searchTerms = 'M4rdukWasH3re';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>
<img src="/resources/images/tracker.gif?searchTerms=M4rdukWasH3re">

We are going to focus our attention on the <script>. Notice how our search string is wrapped in single quotes, try adding one single quote to the end of your search string to see what happens. Then right click where your search string is displayed on the results page. Select Inspect.

Search results page for M4rdukWasH3re’

Look at our search string in the <script> now. It appears we have broken out. Now all we have to do is add our payload after the single quote.

DOM-browser screenshot results for M4rdukWasH3re’
<!-- M4rdukWasH3re' -->
<section class="blog-header">
    <h1>0 search results for 'M4rdukWasH3re''</h1>
    <hr>
</section>
<script>
    var searchTerms = 'M4rdukWasH3re'';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

In order to solve the lab, we need to call the alert() function. In previous labs, we had to specify javascript:alert(). This time, however, we are already in a JavaScript script, so we just need to append our alert() function to the existing script.

There is a couple of ways we can do it, I’m going to try to concatenate it to my existing string using the (+) operator:

M4rdukWasH3re' + alert(1) + '

Enter your payload into the search bar and hit enter.

Screenshot of our pop-up!

Congratulations! You’ve solved another one. Keep up the good work!

Let’s look at what’s happening. Right click where your search string is displayed on the results page. Select Inspect.

Search result page for our payload of M4rdukWasH3re’ + alert(1) + ‘

Check it out. There is our payload sitting in the <script>.

<!-- M4rdukWasH3re' + alert(1) + ' -->
<section class="blog-header">
    <h1>0 search results for 'M4rdukWasH3re' + alert(1) + ''</h1>
    <hr>
</section>
<script>
    var searchTerms = 'M4rdukWasH3re' + alert(1) + '';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>
<img src="/resources/images/tracker.gif?searchTerms=M4rdukWasH3reundefined">

Up Next:

DOM XSS in document.write sink using source location.search inside a select element

Previous Labs:

Reflected XSS into a JavaScript string with angle brackets HTML encoded

Stored XSS into anchor href attribute with double quotes HTML-encoded

DOM XSS in jQuery selector sink using a hashchange event

DOM XSS in jQuery anchor href attribute sink using location.search source

DOM XSS in innerHTML sink using source location.search

DOM XSS in document.write sink using source location.search

Stored XSS into HTML context with nothing encoded

Reflected XSS into HTML context with nothing encoded

Portswigger Lab
Reflected Xss
Cybersecurity
Bug Bounty
Cross Site Scripting

--

--

Marduk I Am

Written by Marduk I Am

127 Followers

Cybersecurity enthusiast. Currently focusing on write-ups and bug bounties. Twitter: @marduk_I_am | Mastodon: @Marduk_James@infosec.exchange

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams