Reflected XSS into a JavaScript String with Angle Brackets and Double Quotes HTML-Encoded and…

Lab Description:

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets and double quotes are HTML encoded and single quotes are escaped.

To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Getting Started:

This PortSwigger Web Security Academy’s lab is pretty straightforward. The vulnerability is going to be in the search bar, it’s just a matter of finding it through trial and error.

Access the lab and you’ll be brought to our simple blog page again. Since the vulnerability is going to be in the site’s search function, let’s try it out.

Add a unique alpha-numeric string to the search bar. One that will not be anywhere else on the page. Click ‘Search’.

We can see our string in reflected back to the page. We need to see how the site is processing our search by viewing the DOM-browser.

Right-click on your search string and select ‘Inspect’. In the DOM-browser, we can use the search bar to find our string.

Our search string appears in a <script> tag and is being assigned to the variable ‘seachTerms’. This is where we are going to try to break out and insert our ‘alert(1)’ function.

From here, I‘ll go back and forth from the search bar to the DOM-browser. I will paste the <script> tag results each time to show how we are affecting the site’s JavaScript.

Crafting Our Payload:

You will notice our string is wrapped in single quotes. The title of this lab let’s us know that single quotes are not going work. So we will need to find another way.

But first lets just try the single quote to see how the server responds. Add a single quote to your search string and click ‘Search’.

After finding your string in the DOM, you’ll see that the server responded with the addition of a backslash, ‘\’. A result of server-side input handling. This is the ‘escaping’ the lab title was referring to.

The character immediately following the backslash will be ignored by JavaScript and will not terminate our string. Just because one character is escaped or encoded, though, does not mean all of them are.

Certain characters, like single quotes, double quotes, and angle brackets, are commonly used in text-based content and may not always represent a security risk. For example, allowing single quotes in search queries enables users to search for phrases containing apostrophes without encountering errors.

Since the title gave us a clue about the single quote, it is also giving us a clue by NOT mentioning the backslash. Maybe, if we successfully add our own backslash before our single quote, the server will insert it’s own backslash in between.

Effectively, our backslash will escape the server’s backslash, leaving our single quote to terminate our search string.

It worked! This opens the door for us to inject our ‘alert(1)’ function into this line of JavaScript code.

Normally when writing JavaScript, the ‘+’ operator is used to concatenate strings, so it is often encoded or escaped. However the hyphen, ‘-’, is not, and will do the same thing for our purposes.

Let’s try it now with our ‘-alert(1)’ function added.

Still didn’t work. However our ‘alert(1)’ function IS broken out. We still have that trailing single quote and semi-colon preventing it from being valid code.

Lab Solution:

To remove certain parts in JavaScript, we often use two forward slashes “//” as a comment marker to effectively ‘comment out’ those sections of code.

Now let’s try adding ‘//’ to the end of our payload.

It worked! Success! You can see that the, (‘;), has successfully been commented out and we get to see our pop-up alert.

Congratulations! You solved another one! Keep up the great work!

See you next time!