Cross-site scripting 8 (APPRENTICE)

Lab 10 - Stored XSS into anchor href attribute with double quotes HTML-encoded.

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

Solution

1.Step 1: You need to click the orange button that says "Access the Lab" on the home page.

2. Step 2: After clicking "Access the Lab," select a post and scroll down until you find the "Leave a Comment" section. Fill in the fields with some random data just as an initial test. Once you're done, click "Post Comment."

3. Step 3: Return to the blog page, and in the comments section, you'll see that the comment you just posted has been saved and is visible in the comments column proof that your input was successfully saved to the server.

4. Step 4: Next, open a new tab and go to the website URL mentioned earlier, www.z3nsh3ll.ninja. As shown in the image, the server returns a "Not Found" response, which means the website field is rendered directly as the href value in the anchor tag for the author's name without sufficient validation.

5. Step 5: Now try right-clicking and selecting "Inspect," then select the author's name (the comment you just made). If you look at the HTML, you'll see name

The website field is directly inserted into the href attribute of the tag, and this is the injection point.

6. Step 6: After ensuring that the Website field is directly included in the href attribute, we now submit a new comment with a malicious payload. Fill in the Website field with javascript:alert() and then click Post Comment.

We use javascript:alert() because the server HTML encodes the (") character, so we cannot escape the href attribute using standard techniques. However, the javascript: pseudo-protocol is still recognized by the browser as executable code rather than a regular URL, so when the author's name is clicked, the alert() function is immediately triggered.

7. Step 7: After submitting the second comment containing the javascript:alert() payload, try clicking the author's name in the second comment here which is "name 2" when that name is clicked, the browser will read the href value from the anchor tag. If we right-click and inspect, the HTML structure of the comment will look like this:

name 2

| 01 June 2026

2 fake

This serves as proof that the XSS payload is stored on the server and rendered directly into the href without being sanitized.

And the pop-up alert displays the domain, this occurs because alert() without arguments in some modern browsers automatically displays the domain of the page executing the script, serving as proof that the XSS is indeed running on the target domain.

8. Step 8: Click OK on the pop-up alert, and a browser page will appear saying "Congratulations, you solved the lab!" and the lab status will also change to "Solved."