> For the complete documentation index, see [llms.txt](https://sayonara.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sayonara.gitbook.io/writeups/portswigger/xss/17-reflected-xss-in-canonical-link-tag.md).

# 17) Reflected XSS in canonical link tag

<div align="left"><figure><img src="/files/kP3H0GBWwOufE8lS4e0K" alt=""><figcaption></figcaption></figure></div>

this lab demonstrates how its possible to have a cross site scripting attack vector on an element that is not visible to the user

for exemple head tag elements are not displayed on the page so if we manage to put an onclick listener on this element the user doesn't see this element no the page to click on it

#### Locate possible injection points

As usual the first step is to analyse the application, we don't have a search functionnality. opening the devtools we find the url is reflected in a head link tag

<div align="left"><figure><img src="/files/20Zeyrwv1vWygtMvgzy6" alt=""><figcaption></figcaption></figure></div>

so we have a link tag that we can inject xss payloads on, so let's try to escape the href attribute and add onclick event

<div align="left"><figure><img src="/files/Z2vo8dsEjL5XF2wRuqqh" alt=""><figcaption></figcaption></figure></div>

let's do some modification

```
https://0a6800df03a9ab0c81ea02ea00ca00d0.web-security-academy.net/?'onclick='alert(1)
```

<div align="left"><figure><img src="/files/D4Z49UdlabJgq8zcMw5Y" alt=""><figcaption></figcaption></figure></div>

but how this event is going to be fired if the element is not visible on the page?

yes we can by using **`html accesskeys`**

### <mark style="color:blue;">HTML AccessKeys</mark>&#x20;

is a keyboard shortcut for clicking on a certain element and its functionality depends on the browser and the operating system used, since not all browsers support access keys. access keys are added as an attribute

```
https://0a6800df03a9ab0c81ea02ea00ca00d0.web-security-academy.net/?'accesskey='x'onclick='alert(1)
```

This sets the `X` key as an access key for the whole page. When a user presses the access key, the `alert` function is called.

<div align="left"><figure><img src="/files/HHhby9dF65KYFYTnTecU" alt=""><figcaption></figcaption></figure></div>

To trigger the exploit on yourself, press one of the following key combinations:

* On Windows: `ALT+SHIFT+X`
* On MacOS: `CTRL+ALT+X`
* On Linux: `Alt+X`

i am using windows so when i click on `ALT+SHIFT+X` the alert is triggered

<div align="left"><figure><img src="/files/zY30KeF5r0KhueYZmhaw" alt=""><figcaption></figcaption></figure></div>

and the lab is solved

<div align="left"><figure><img src="/files/wPZQ7dxKTXtL9ygit3xC" alt=""><figcaption></figcaption></figure></div>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sayonara.gitbook.io/writeups/portswigger/xss/17-reflected-xss-in-canonical-link-tag.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.