Reflected XSS into a Javascript String with Angle Brackets and Double Quotes Html-Encoded and Single Quotes Escaped

Objective

  1. After the landing page is loaded, go to searchbox in the website.

  2. Submit a random alphanumeric string in the search box.
  3. Observe that the random string has been reflected inside a JavaScript string.

  4. Go to the Burp’s HTTP history and send the relevant request to the Burp Repeater.

  5. Now, submit a basic XSS paylaod but add single quote beginning of it to enclose the string.

  6. Observe that single quote(‘) got escaped by backslash(\) like in the following example.

  7. However, developer who implemented the logic made a huge mistake and forgot to escape the backslash(\) characters itself, so that means you can escape backslash by using another backslash. After that single quote will be used as string terminator and it will caused alert() function to be called.

  8. Inject the following payload(or a similar payload). Observe that your payload managed to escape from the string literals.

    And the lab should have been solved.

    However, developer who implemented the logic made a huge mistake and forgot to escape the backslash characters itself, so that means you can escape backslash by using another backslash.