20) Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Locate possible injection points

As usual the first step is to analyse the application, we have comment form so we fill it with random string like xxxx then open the developer tools and find where the user input is located in the html

so the xss payload could be injected within the onclick event handler

When the XSS context is some existing JavaScript within a quoted tag attribute, such as an event handler, it is possible to make use of HTML-encoding to work around some input filters.

When the browser has parsed out the HTML tags and attributes within a response, it will perform HTML-decoding of tag attribute values before they are processed any further. If the server-side application blocks or sanitizes certain characters that are needed for a successful XSS exploit, you can often bypass the input validation by HTML-encoding those characters.

in this lab the application escapes single quote characters, so we can use the following payload to break out of the JavaScript string and execute your own script:

payload

http://xxxx_website&apos;);alert(&apos;1

other payload

http://xxxx_website&apos;-alert(1)-&apos;

and we have solved the lab

Previous19) Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped Next21) Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

Last updated 1 year ago

Was this helpful?