Reflected XSS into HTML context with nothing encoded
XSS Apprentice

Reflected XSS into HTML context with nothing encoded

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Objective

Write a basic alert script in the box, like the following and click the search button.

This will pop an alert on the page.

Also if you view the page source you can see our payload.

Reflected XSS into HTML context with nothing encoded
Prev post

Reflected XSS into HTML Context with most tags and attributes blocked
Next post

Reflected XSS with Event Handlers and href Attributes Blocked

Reflected XSS into HTML context with nothing encoded

You may also like

See all XSS
Reflected XSS with AngularJS expression escape and CSP
XSS Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Reflected XSS with AngularJS Sandbox Escape without Strings
XSS Expert

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
XSS Practitioner

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal