The following is my documentation on PortSwigger’s Academy labs.

Goal: Perform a cross-site scripting attack that injects an attribute and calls the “alert” function

This was, overall, a simple and quick lab, but one that highlights why certain prevention methods are super important.

We’ll begin, by taking a look at the website and then popping the hood.

We immediately notice the search bar on the page which could be very useful for our injection methods. With our dev tools open let’s search for something unique so that we can see what is going on in the background (in this case 1nfornography because it makes it unlikely that we’ll get accidental matches in return, and well, ego).

On inspection, we can see that our search term appears inside of the value attribute of the input element. Notice the double quotation marks. This will be important later. From here we’ll write our payload and place it into the search bar.

Taking advantage of single or double quotation marks for attack purposes is pretty common in both XSS attacks and SQLi. The reason being is that a quotation mark like this closes out other quotation marks in the code. This can tell the browser to ignore everything before it or help you append the code with further script. We can actually see this in action once we search for the above payload in our dev tools:

All we need to do now is hover our mouse over the search bar.

…and our lab is complete! The alert appears on mouseover.

Possible prevention methods

As stated at the beginning, the method of attack was fairly simple, but shows us something important: the site does not have proper string sanitation. Without sanitizing our strings we leave our site open to many different attacks. PortSwigger has a very useful resource with more information about XSS prevention.

Notes

I used the following resources in this exercise:

• z3nsh3ll
• PortSwigger’s XSS Cheat Sheet

---

Filed under: Cybersecurity,Pentesting,PortSwigger Academy,XSS attack - @ December 17, 2023 9:31 pm