19) Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

Locate possible injection points

As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html

var searchTerms = 'xxxx'

let's try to close the single quote and execute an alert, the result we want to get is something like this : var searchTerms = 'xxxx'-alert(1)-''

xxxx'-alert(1)-//

• ' => break out of the string 'xxxx'

• // => comments everything after it

the single quote is being escaped

Some applications attempt to prevent input from breaking out of the JavaScript string by escaping any single quote characters with a backslash. A backslash before a character tells the JavaScript parser that the character should be interpreted literally, and not as a special character such as a string terminator. In this situation, applications often make the mistake of failing to escape the backslash character itself. This means that an attacker can use their own backslash character to neutralize the backslash that is added by the application.

For example, suppose that the input:

'-alert(1)-//

gets converted to:

\'-alert(1)-//

You can now use the alternative payload:

\'-alert(1)-//

which gets converted to:

\\'-alert(1)-//

Here, the first backslash means that the second backslash is interpreted literally, and not as a special character. This means that the quote is now interpreted as a string terminator, and so the attack succeeds.

so what we can do is escape the backslash introduced by the app, in the previous lab we couldn't do that because the backslash is escaped but in this lab the backslash is not escaped by the app

xxxx\'-alert(1)-//

and we have solved the lab