17) Reflected XSS in canonical link tag

this lab demonstrates how its possible to have a cross site scripting attack vector on an element that is not visible to the user

for exemple head tag elements are not displayed on the page so if we manage to put an onclick listener on this element the user doesn't see this element no the page to click on it

Locate possible injection points

As usual the first step is to analyse the application, we don't have a search functionnality. opening the devtools we find the url is reflected in a head link tag

so we have a link tag that we can inject xss payloads on, so let's try to escape the href attribute and add onclick event

let's do some modification

https://0a6800df03a9ab0c81ea02ea00ca00d0.web-security-academy.net/?'onclick='alert(1)

but how this event is going to be fired if the element is not visible on the page?

yes we can by using html accesskeys

HTML AccessKeys

is a keyboard shortcut for clicking on a certain element and its functionality depends on the browser and the operating system used, since not all browsers support access keys. access keys are added as an attribute

https://0a6800df03a9ab0c81ea02ea00ca00d0.web-security-academy.net/?'accesskey='x'onclick='alert(1)

This sets the X key as an access key for the whole page. When a user presses the access key, the alert function is called.

To trigger the exploit on yourself, press one of the following key combinations:

• On Windows: ALT+SHIFT+X

• On MacOS: CTRL+ALT+X

• On Linux: Alt+X

i am using windows so when i click on ALT+SHIFT+X the alert is triggered

and the lab is solved