PortSwigger Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded

Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded

Observe

1. Open detail blog post
2. Try to post a comment with all value inserted (Comment, Name, Email, Website)
3. After Post Comment success, open detail blog post again, and notice that we able to click the name of the user who post a comment. And if we click, we will redirected to the website url that we input in the field Website.
4. Inspect the element, and notice that the value of Website in the form are placed in the href attribute inside a tag inside section comment.
5. Try to use " onclick=”alert(document.domain);" in the Website when post a comment for execute a javascript onclick event, but after submit and inspect the web page, our code is replaced like this:

<a id="author" href="&quot; onclick=&quot;alert(document.domain)&quot;">name01</a>

It seems like this website already implement double quotes HTML-encoded and it makes our javascript alert code won’t be executed with this payload.

Solution

1. Post a new comment. But this time, in the Website field use value javascript:alert(document.domain).
2. Post comment and success
3. If we inspect element again, the a tag looks like this:

<a id="author" href="javascript:alert(document.domain)">name02</a>

3. Click user name on the comment section, and alert will popped up.

Conclusion

If website already prevent us to escape from href attribute and make us cannot use payload something like " onclick="alert(document.domain)". We still able to execute javascript code inside href attribute using prefix javascript:, for example href="javascript(document.domain)".