Lab 3 - Reflected XSS into HTML context with nothing encoded.

This lab contains a simple reflected cross-site scripting vulnerability in the search functionality. To solve the lab, perform a cross-site scripting attack that calls the alert function.

Solution

1.Step 1: You need to click the orange button that says "Access the Lab" on the home page.

2. Step 2: First, try entering a common keyword into the search box, for example "mysearchterm" and then click "Search." Than the URL will then change to If you look at the URL, it has now changed to %2F. This is the URL encoding for the / character, meaning the browser processes that tag as a real element rather than plain text. and the page will display "0 search results for 'mysearchterm'." From this, we can conclude that the input we entered is directly reflected on the webpage, indicating a potential reflected XSS vulnerability.

But before that, you should first understand what a reflected XSS is. It is a type of attack where a malicious script is reflected from the server back to the victim's browser through unsanitized input. This can be dangerous for the victim because the attacker can steal the victim's session cookies (log in as the victim), perform phishing, redirect the victim to a malicious site, and more.

3. Step 3: So, since we already know that the input is rendered directly on the page, what we need to know now is whether HTML tags are also executed or not. In the search bar, type the HTML tag:

   My search term

   then click search. After that, right-click and select inspect, and you can see in the image below the section

0 search results for '

My search term

that input is not encoded but instead goes directly into the DOM (Document Object Model, is a tree-like representation of the HTML page structure that can be read and manipulated by the browser and JavaScript. If our input can enter the DOM without filtering, it means we can inject any element, including malicious scripts.) as a real HTML element. If the server applied the correct encoding, the result should look like this <h1>My search term</h1> but that's not the case (the

tag is rendered directly by the browser).

If you look at the URL, it has now changed to "https://0af400d1045d699c82e56af9009f0061.web-security-academt.net/__?search=

My+search+term<%2Fh1>" .

4. Step 4: Then all you need to do is enter the XSS payload into the search box: , and then click "Search." The URL will then change to "https://0af400d1045d699c82e56af9009f0061.web-security-academt.net/__?search=** (**You can see it in the image in step 5).

<picture> <source media="(max-width: 768px)" srcset="/img/700/1*zVwCZm0qKsWhiii-6_SYTw.png 1x"> <source media="(min-width: 769px)" srcset="/img/2000/1*zVwCZm0qKsWhiii-6_SYTw.png 1x"> <img src="/img/700/1*zVwCZm0qKsWhiii-6_SYTw.png" alt="None" width="1920" height="891" loading="lazy" data-zoom-src="/img/4000/1*zVwCZm0qKsWhiii-6_SYTw.png" class="prose-image" data-caption="<strong>XSS Payload Injection (<strong><strong><em>&#x26;lt;script&#x26;gt; alert() &#x26;lt;/script&#x26;gt;</em></strong></strong>)</strong>"/> </picture>

5. Step 5: After that the browser immediately displays an alert dialog from the lab domain, this proves the script was executed successfully.

6. Step 6: All you need to do is click "OK" on the pop-up alert, and a message will appear saying, "Congratulations, you solved the lab!" The status will then change to "Solved."