Solution for PortSwigger Academy Lab: Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped

The following is my documentation on PortSwigger’s Academy labs.

End Goal: Perform an XSS attack that escapes out of the JavaScript string and calls the alert function

In this lab we will be exploiting how the target site escapes single quotations from the input field by using the very same characters that it escapes with against it. Sound like fun? Let’s dig into it.

Investigating the target site

We’ll start our investigation by inputting a random alpha-numeric string into the search bar and then see what it looks like in the background of the site. In this case, we’ll use “1nfornography” because—ego.

We use a random alphanumeric string primarily to avoid the site from coming up with posts and what-not so that we can play around with a “blank canvas”. Once we enter our query we use our element inspector built into Firefox and look for our string (specifically inside a JavaScript tag)

Here we can clearly see that our string is encased inside of two single quotes. We need to break out of this if we are to call the alert function, so let’s craft a payload to do so. We’ll try to trick the site by placing a single quote after our string to neutralize the first single quote, call the alert function, and then neutralize the second single quote by commenting it out with two forward slashes. Our payload will look like this:

1nfornography'-alert(1)//
Enter our payload and hope for the best!

…and we have failed to call the alert function. So what happened? Let’s take a look:

We can see that the site escaped the single quote in our payload with a backslash, giving us this:

'1nfornography\'-alert(1)//'

So what’s next?

Crafting our reflected XSS exploit payload

Most of our payload should be sound, it is just that pesky backslash that has gotten in our way. It escaped our single quotation, effectively neutralizing the call for an alert. This is where we get to be a little cheeky. If the backslash escapes a single quote, why not use it to escape another backslash? Indeed. We will use the site’s escape method against itself! Our new payload will look like this:

1nfornography\'-alert(1)//

We just send our mean little payload away and…

The alert function populates, which means we have solved the lab!

Before we finish up let’s do our due diligence and inspect the page just to see the payload in action.

We can see our payload working as it now looks like this:

'1nfornography\\'-alert(1)//'

We succesfully commented out the ending single quotation and nutralized the site’s way of escaping our own single quote.

Notes:

I am pretty proud of this one, simple as it may be, as it is really the first time I was able to solve a lab without having to look for help. I recently built a JavaScript Text Adventure Game to better learn and understand JavaScritpt. This is kind of sad to write, but it really cemented the double forward-slash in my mind for comments. Keeping track of each different language’s means to comment out has been tricky for me, so building something in that language and seeing the parts work really helps me. I am excited to continue on my learning path!

I followed the following general guide on “How to find and test for XSS Vulnerabilities”1 by PortSwigger, which I will summarize below:

  • Test every entry point.
  • Submit random alphanumeric Values.
  • Determine the reflection context.
  • Test a candidate payload.
  • Test alternative payloads.
  • Test the attack in a browser.

I will be using these guidelines for these exercises moving forward.

Footnotes

  1. How to find and test for reflected XSS vulnerabilities by PortSwigger ↩︎
–=⛧⛧⛧=– About the author: Michael Fitzgerald is a penetration tester, post-apocalyptic parody author, and a mad scientist. –=⛧⛧⛧=–
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Filed under: Uncategorized - @ February 29, 2024 9:33 pm