Category: PortSwigger - Reflected Cross-Site Scripting (RXSS)
 |
|---|
| Reflected Cross-Site Scripting (RXSS) |
đź’ˇDescription:
This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.
đź’ˇLab Answer:
First we check the search bar and trying to put a random text:
- Wow, we noticed that when i searched by
Testin search bar the script code appear in web page source:
var searchTerms = 'Test';
document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
- The code snippet demonstrates how user input is being used to construct an HTML
imgelement with a source attribute (src).- Let’s break down the code step by step:
document.write(...): Thedocument.write()function is used to dynamically generate and insert content into the HTML document. In this case, the code is generating animgelement and appending it to the document.searchTerms='+encodeURIComponent(searchTerms)+'": This part of the URL is where the JavaScript variablesearchTermsis being included in thesrcattribute. Here’s what’s happening:searchTerms=: This is a query parameter in the URL.encodeURIComponent(searchTerms): The value of thesearchTermsvariable is being URL-encoded using theencodeURIComponent()function. URL encoding is necessary to ensure that special characters, spaces, and other URL-unsafe characters are properly represented in the URL.'+": This part concatenates the encoded value ofsearchTermsto the URL.
- Let’s break down the code step by step:
- According to this XSS documentation, when the possible xss is inside a Javascript code we can use this payload:Â
'-alert(1)-'
🎉Congratulations
Protect Your Digital Presence & Stay Cyber Safe đź’™
Thanks🌸