Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
XSS Practitioner

Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Objective

  1. After the landing page is loaded, go to searchbox in the website.

  2. Submit a random alphanumeric string in the search box.

  3. Observe that the random string has been reflected between javascript template literals.

    What is a template literal

    Go to the resource !

    Here is the real deal, your input is inside the template literals and that means it is possible to inject embedded expressions via using ${} syntax. Also remember that single quotes are just normal characters inside of literals(`), due to that your input is going to work like a charm.

  4. Inject the following payload:

  5. Hit the search button.

  6. Also observe that your input successfully implemented between the template literals.

  7. Click OK button or refresh the page and lab instance should have been solved.

Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
Prev post

Reflected XSS into a JavaScript String with Single Quote and Backslash Escaped
Next post

Reflected XSS into Attribute with Angle Brackets HTML-Encoded

Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

You may also like

See all XSS
Reflected XSS with AngularJS expression escape and CSP
XSS Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Reflected XSS with AngularJS Sandbox Escape without Strings
XSS Expert

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
XSS Practitioner

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal