XSS — Reflected XSS into a JavaScript string with angle brackets HTML encoded
The solution of the lab was hidden in the source code, and since solving it resembled a bit of puzzle solving, I think it was a very enjoyable lab.
<script> During the document.write process, all characters are encoded using encodeURIComponent, so XSS won’t work from now on.
var searchTerms='here';
document.write('img src = "/resources/images/tracker.gif?searchTerms='encodeURIComponent(searchTerms)+'">'); </script>
As a solution, we needed to add the XSS payload in the place where herewas seed. First, I had to discover which characters were encoded. After that, I started solving the puzzle.
I completed the variable declaration with'; → var searchTerms='';';I waited for my XSS code to work by adding '; alert(1); →var searchTerms=''; alert(1));';
However, as seen, there is one ' character lef unused. To address this, I modified my payload to → '; alert(1);' . But still couldn’t trigger the XSS.
While searching for the solution, the idea of using a comment came to my mind. By using '; alert(1);//' , it would turn the ' character and the remain part into a comment, and the problem would be solved.
and the lab was solved.
