Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.
The replace() method searches a string for a value or a regular expression. The replace() method returns a new string with the value(s) replaced. Critical point is, replace() method only replaces the given string(s) first occurence.
As the lab dictates you can observe this payload gets blocked. You need to find a valid tag in order to deliver a successfull attack. One way to do this is testing the tags manually one by one or you can choose a better way which is fuzzing the tag names with Burp Intruder.
Try to inject a usual alert() script such as but it is not going to work. Because website has WAF(Web Application Firewall), so you need to figure out how to bypass it.
From the lab description you can understand all tags are blocked. However, it might be possible to craft custom tags and use it to create a successfull payload.
Here is the real deal, your input is inside the template literals and that means it is possible to inject embedded expressions via using ${} syntax. Also remember that single quotes are just normal characters inside of literals(`), due to that your input is going to work like a charm.
This time, try sending the previous payload by adding single quote to beginning of it. Also know that, this technique is used for breaking out of the string, however your single quote is going to get backslashed-escaped.
However, developer who implemented the logic made a huge mistake and forgot to escape the backslash(\) characters itself, so that means you can escape backslash by using another backslash. After that single quote will be used as string terminator and it will caused alert() function to be called.
A canonical URL is the URL of the best representative page from a group of duplicate pages, according to Google. For example, if you have two URLs for the same page (such as example.com? dress=1234 and example.com/dresses/1234 ), Google chooses one as canonical.
Either open the searchResults.js file from the Sitemap, or after you landed on the home page view the page source and click to searchResults.js link. Examine the javascript code and observe that this.response(response text) passed into the eval() function call.
So it is time to taking the next step which is exploiting the vulnerability. Basically, you can use the fetch API to cause DNS resolving and sending a HTTP request to your exploit server(in this case burp collaborator) for the users who visits the blogpage.
You can also examine the username and password field by going back to blogpost. Now, only thing you need to do is waiting for the user interaction.
Observe that your canary is between the option tags, for that reason you need to escape from the options tags in order to deliver a successfull XSS attack.
Ng-app directive has been used so it is possible to use angular expressions. First of all, you need to determine the version of angularJS inorder to use right payload.