June 17, 2026
Cross-site scripting 7 (APPRENTICE)
Lab 9 - Reflected XSS into attribute with angle brackets HTML-encoded.
Nadia
2 min read
Lab 9 - Reflected XSS into attribute with angle brackets HTML-encoded.
This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.
Hint: Just because you're able to trigger the alert() yourself doesn't mean that this will work on the victim. You may need to try injecting your proof-of-concept payload with a variety of different attributes before you find one that successfully executes in the victim's browser.
Solution
1.Step 1: You need to click the orange button that says "Access the Lab" on the home page.
- Step 2: After clicking "Access the Lab" you'll see a web page and a search bar. Try typing any random word for example "z3nsh3ll" then right-click and select "Inspect." Notice how the input is reflected in the HTML, you can see that the input value is placed in the value attribute of the element.
<input type="text" placeholder="Search the blog…"
name="search" value="z3nsh3ll">
The angle brackets <> are encoded, so we can't directly inject new tags, but we can bypass the attribute and inject an event handler.
Although angle brackets are encoded to prevent the creation of new tags, an attacker can still exploit this by injecting an event handler attribute directly into an existing tag (inserting/sneaking in malicious code: onmouseover="alert()"). This proves that encoding alone is not enough and that content security policies and input validation also play a crucial role.
- Step 3: Because the angle brackets are encoded and therefore cannot close tags or create new ones, the solution is to enclose the value attribute in (") and add an event handler attribute by entering the payload z3nsh3ll" onmouseover="alert() into the search field (making it appear as if onmouseover= "alert() is a valid attribute of the tag), and the browser will execute it automatically when the user interacts directly with that element. And the URL changes to https://0a7100f10379489280d6127c00d700b2.web-security-academy.net/?search=z3nsh3ll"+onmouseover%3D'alert()' .
- Step 4: Click OK on the pop-up alert, and the browser page will display the message "Congratulations, you solved the lab!" and the lab status will also change to "Solved."
