Reflected XSS into a JavaScript string with angle brackets HTML encoded | Shiv Kumar

Reflected XSS (Cross-Site Scripting) is a web vulnerability where user input is immediately reflected in a web page without proper validation or encoding. An attacker can craft a malicious URL containing JavaScript code, and when a victim opens the link, the script executes in the victim's browser. This can lead to session theft, account compromise, or unauthorized actions performed on behalf of the user.

Submit a random alphanumeric string in the search box

Observe that the random string has been reflected inside a JavaScript string.

then use Burp Suite to intercept the search request and send it to Burp Repeater.

replace input with payload to break out of the JavaScript string and inject an alert:

Payload: '-alert(1)-'

Congratulations You Solve The Lab!

Thanks For Reading