Reflected XSS into Attribute with Angle Brackets HTML-Encoded
XSS Apprentice

Reflected XSS into Attribute with Angle Brackets HTML-Encoded

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Objective

  1. Submit a random alphanumeric string in the search box.

  2. Go to the Burp’s HTTP History and send that request to Burp Repeater.

  3. Observe that the random string has been reflected inside a quoted attribute.

  4. Now, try to inject a common XSS payload but in the background HTML tags are encoded as following:

Despite of that, our input is used in the HTML attribute so it may possible to use this field as an attack surface.

Crafting the paylaod

You need to escape the quoted attribute and inject an event handler. In order to that examine the following process and implement it:

value = input
input = "autofocus onfocus=alert(document.domain) x="
result -> ""autofocus onfocus=alert(document.domain) x=""

As a result, you have defined a new attribute and closed the existing one without trouble.

Time to test the paylaod

Enter the payload in the search field that you crafted previously.

Press the enter

You should have been solved the lab.

Reflected XSS into Attribute with Angle Brackets HTML-Encoded
Prev post

Reflected XSS into a Template Literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
Next post

Reflected XSS into HTML context with all tags blocked except custom ones

Reflected XSS into Attribute with Angle Brackets HTML-Encoded

You may also like

See all XSS
Reflected XSS with AngularJS expression escape and CSP
XSS Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Reflected XSS with AngularJS Sandbox Escape without Strings
XSS Expert

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
XSS Practitioner

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal