Lab: Reflected XSS into attribute with angle brackets HTML-encoded
Observe
- Submit random alphanumeric, for example
banana01for test input. - Try to search
banana01on the source code in inspect element. We will found two html element, first insideh1tag and second atinputtag. Like this:
<input type="text" placeholder="Search the blog..." name="search" value="banana01">- If we try again to search using value
alert(1), the value of input tag will look like this. It means the value of input tag is not sanitized when we perform searching.
<input type="text" placeholder="Search the blog..." name="search" value="alert(1)">- Based on point 3, we know that the search value is not sanitized by this application.
Solution
- Construct payload using
" onmouseover="alert(document.domain)" - Input payload to the search form and click search
- Lab solved ✅
- If your mouse in above the search form, the alert will showed.
Conclusion
- The value in search form is not sanitized but rendered into the web page, it make the input is vulnerable to
Reflected XSS. - When we use payload
" onmouseover="alert(document.domain)", it will make the input tag look like this
<input type="text" placeholder="Search the blog..." name="search" value="" onmouseover="alert(document.domain)" "="">As you can see, the first value in payload (") will close the value attribute and make it empty. Next, the payload will inject new attribute to the html input tag with onmouseover="alert(document.domain)". Alert will executed when the event onmouseover is true.