Level 8: Stored XSS into anchor href attribute with double quotes HTML-encoded

Objective

Exploit a stored XSS vulnerability by injecting malicious JavaScript into the href attribute of a comment author's name.

Explanation

This lab demonstrates a stored XSS vulnerability where user input is inserted into an anchor (<a>) tag’s href attribute, and double quotes are encoded but no further sanitization is applied. This allows attackers to use javascript: payloads that execute when the link is clicked.

Resolution

  1. Navigate to any blog post.

  2. Submit a comment with any content, but in the Name field enter:

javascript:alert('XSS test')

  1. Fill the remaining fields with any value and submit the comment.

  2. Once the comment is posted, click on the name you provided.

  3. The alert box will appear, confirming the XSS was successful and the lab is completed.

Mitigation

  • Disallow dangerous URI schemes like javascript: in user-supplied href attributes. Only allow safe protocols (e.g., https, mailto).

  • Sanitize and validate all user input, especially in places where it will be used as an attribute value.

  • Use proper context-aware escaping (HTML attribute encoding) before rendering user input in attributes.

  • Implement a strong Content Security Policy (CSP) to limit the execution of inline scripts.

PreviousLevel 7: Reflected XSS into attribute with angle brackets HTML-encodedNextLevel 9: Reflected XSS into a JavaScript string with angle brackets HTML encoded

Last updated