search

Level 9: Reflected XSS into a JavaScript string with angle brackets HTML encoded

hashtag
Objective

Exploit a reflected XSS vulnerability by injecting JavaScript into a string context and triggering an alert.

hashtag
Explanation

This lab includes a reflected XSS vulnerability where user input is reflected inside a JavaScript string within a <script> tag. Although angle brackets (< and >) are encoded, this doesn't protect against JavaScript injection if the input is placed inside a string context (e.g., surrounded by quotes).

hashtag
Resolution

  1. Perform any search on the page (e.g., test).

  2. Open Developer Tools and look at the page source.

  3. You'll see your input is reflected inside a JavaScript string, something like:

var searchTerm = 'test';

  1. Inject the following payload into the search box:

'-alert("XSS test")-'

  1. When the page reloads, the script will be interpreted as:

var searchTerm = ''-alert("XSS test")-'';

and your alert will trigger, completing the lab.

hashtag
Mitigation

To prevent this type of vulnerability:

  • Escape user input properly for JavaScript context, not just HTML. Use libraries or frameworks that safely handle data injection into scripts.

  • Avoid injecting user input into scripts altogether. Place data into HTML and access it via data- attributes or JSON.parse.

  • Implement Content Security Policy (CSP) to block inline scripts and reduce XSS risk.

  • Validate and sanitize all incoming data before reflecting it in the response.

PreviousLevel 8: Stored XSS into anchor href attribute with double quotes HTML-encodedNextAccess Control Vulnerabilities

Last updated