Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded
XSS Apprentice

Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Objective

  1. After the landing page is loaded, go to searchbox in the website.

  2. Submit a random alphanumeric string in the search box.

  3. Observe that the random string has been reflected inside a JavaScript string.

  4. Go to the Burp’s HTTP history and send the relevant request to the Burp Repeater.

  5. In order to solve the lab, you need to terminate the string with the <script/> tag.

You can choose one from the below methods to use for solving the lab.

Ways to Do It

  • Using the ‘-‘ and ‘+’ characters in order to concat the paylaod with the actual string. 
      input1 = '-alert(1)-' 


      input2 = '+alert(1)+'

  • Terminating the string with single quote, calling alert() function and commenting out the rest of the line. 
      input3 = ';alert(document.domain)//'

Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded
Prev post

Reflected XSS into a Javascript String with Angle Brackets and Double Quotes Html-Encoded and Single Quotes Escaped
Next post

Reflected XSS into a JavaScript String with Single Quote and Backslash Escaped

Reflected XSS into a JavaScript String with Angle Brackets HTML Encoded

You may also like

See all XSS
Reflected XSS with AngularJS expression escape and CSP
XSS Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Reflected XSS with AngularJS Sandbox Escape without Strings
XSS Expert

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
XSS Practitioner

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal