21) Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped

Locate possible injection points

As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html

as we see our input is reflected in a template literal

template literal

JavaScript template literals are string literals that allow embedded JavaScript expressions. The embedded expressions are evaluated and are normally concatenated into the surrounding text. Template literals are encapsulated in backticks instead of normal quotation marks, and embedded expressions are identified using the ${...} syntax.

then you can use the following payload to execute JavaScript without terminating the template literal:

${alert(1)}

payload

xxxx${alert(1)}

and we have solved the lab

Previous20) Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped Next22) Exploiting cross-site scripting to steal cookies

Last updated 1 year ago

Was this helpful?