Lab 11 - Reflected XSS into a JavaScript string with angle brackets HTML encoded.

This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

Solution

1.Step 1: You need to click the orange button that says "Access the Lab" on the home page.

2. Step 2: Simply enter a standard HTML payload such as

   Hello World

   into the search field. The result is that the HTML tag is not executed because the angle brackets are encoded, causing the literal text to appear on the browser page.

This confirms that an HTML tag based XSS approach will not work, so we need to break out of the JavaScript string (to ensure the code is actually executed, we must close the string early using single quotes ' so that the rest of our input is outside the string, in an area considered pure JavaScript code) rather than using HTML tags (our input is not placed directly in HTML but inside single quotes ' as the content of a JavaScript variable).

3. Step 3: You should try entering "z3nsh3ll" in the search field (you can also use any random words), this is done to see how that input is reflected in the source code (z3nsh2ll is not a payload). After that, right-click and select "Inspect." You can see in the HTML source that our input is reflected in a JavaScript string like this:

var searchTerms = 'z3nsh3ll';

document.write('');

Our input goes directly into the value of the searchTerms variable, which is enclosed in single quotes (').

4. Step 4: The next step is to enter the payload "z3nsh3ll'; alert();" in the search field. After the payload is sent, the server reflects the input into JavaScript, and the result is

var searchTerms = 'z3nsh3ll'; alert();';

document.write('');

However, the alert pop-up still does not appear. This is because there is a syntax error caused by a stray quote at the end of ' ; . The browser finds an unpaired ' character, so the JavaScript fails to be read and interpreted by the browser, and nothing is executed at all.

5. Step 5: To prevent syntax errors like the one above from happening again, add a valid JavaScript statement after alert() like this:

z3nsh3ll'; alert(); let myvar = 'test .

The single quote (') closes the string, the ; alert(); part calls the alert function, and let myvar = 'test creates a new string so that the closing quote from the original code doesn't cause an error anymore.

6. Step 6: Once the payload is sent, a pop-up alert will appear confirming that the XSS payload has been successfully executed within the JavaScript string context. If you click "Inspect," you can see that after the payload is sent, the server reflects the input into JavaScript, and the result is

var searchTerms = 'z3nsh3ll'; alert(); let myvar = 'test'; document.write('');

7. Step 7: Just click OK on the pop-up alert, and the message "Congratulations, you solved the lab!" will appear, and the lab's status will change to Solved.