Level 7: Reflected XSS into attribute with angle brackets HTML-encoded
Objective
This lab contains a reflected cross-site scripting vulnerability in the blog's search functionality, where angle brackets (< and >) are HTML-encoded.
To solve the lab, craft an XSS payload that injects a new attribute into an HTML tag and calls the alert() function when triggered.
Explanation
In this scenario, the application reflects the search input directly into an HTML attribute, but with a twist β angle brackets are encoded (< becomes <, > becomes >), which prevents direct HTML injection like <script>.
However, since the context is inside an HTML attribute, and quotes are not encoded, we can break out of the attribute value and inject our own.
This is a classic attribute injection XSS: by closing the existing value with a quote (") and appending a new attribute like onmouseover="alert('XSS')" to an element (e.g., <div> or <img>), we can execute arbitrary JavaScript.
Resolution
Perform any search, for example:
?search=test
Then modify the URL parameter search with the following payload:
?search=test"onmouseover="alert('XSS test')
Paste the modified URL into the browser and press enter. When you hover over the affected element, the alert() will be triggered.
β The lab is marked as solved once the alert() successfully pops up.
Mitigation
To prevent this type of XSS vulnerability:
Always properly sanitize and encode user input before inserting it into HTML attributes. Use context-sensitive encoding:
Use HTML attribute encoding when injecting data into attribute values.
Implement a Content Security Policy (CSP) to reduce the impact of XSS attacks.
Avoid using user input directly in your HTML. Instead, use safe DOM manipulation methods or server-side rendering with proper escaping.
Consider using a modern JavaScript framework that automatically handles output encoding.
