Solution for PortSwigger Academy Lab: Stored XSS into onclick event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

The following is my documentation on PortSwigger’s Academy labs.

End Goal: Submit a comment that calls the alert function when the comment author name is clicked

To help build good habits we will be going through this lab with PortSwigger’s guides1 to finding XSS vulnerabilities2, slightly modified:

  • Find entry points.
  • Submit random alphanumeric values.
  • Determine the context of the entered string.
  • Test a candidate payload.
  • Test alternative payloads.

This of course will be a guide that we cycle through with each entry point and iteration of payloads if we were to go into a challenge blind.

Finding our entry points

Our target site for this lab is a blog with a comment section for every post. Seeing that we know from our End Goal that we will be exploiting the author name our hunting is done. On a real site, however, we would be more thorough and check for search bars and other possible entry points.

Submitting a random alphanumeric value and determining the context of the string

After navigating to the comment section we’ll fill out the comment form and see what it does.

Once we have the form filled out we’ll use the Inspector built into our Firefox browser to take a look at our comment.

We see that the site is using the onclick function in JavaScript to handle the website link within the author name. This will be where we handle our exploitation.

Testing a candidate payload

Of course, we know from the title of this lab that single quotes and backslashes are escaped, but let’s pretend that we do not and do our due diligence as we should still see this in action. We’ll enter the following into the “Website” section, based on İbrahim Taha İstikbal’s own write-up of this lab3: https://'1nfornography'.com

When we inspect our comment we find this:

We can clearly see that our single quotations are being escaped with backslashes. So how do we break out of this?

Testing an alternative payload

Now that we know our limits, we have to be a little sneaky. In previous labs we have taken advantage of HTML encoding, so this will not be a new concept to us. Our final payload will look something like this:

https://1nfornography.com?'-alert(1)'

We use ' in our payload as it is the HTML encoding for a single quotation. Now we just have to send our payload away!

Congratulations! We did it! We solved the lab. But let’s continue with a few more steps to see our payload in action.

We can see by inspecting the author name link that our payload has been properly translated from our HTML encoding and now looks like this:

https://1nfornography.com?'-alert(1)-'

This means that if we click the link we generate our alert function.

Notes

This was a fun lab that let me implement something I have been wanting to do on the target site for a while. As this write-up exists mostly to help me cement what I have learned by organizing my thoughts and writing them down, it does not serve best as a “tutorial”. If you found it helpful in your own journey that is a great bonus. If you are looking for an article that serves that purpose, however, check out İbrahim Taha İstikbal’s lab solution (linked below in my footnotes). It is very well-written and I used it myself.

Footnotes

  1. How to find and test for stored XSS vulnerabilities by PortSwigger ↩︎
  2. How to find and test for reflected XSS vulnerabilities by PortSwigger ↩︎
  3. İbrahim Taha İstikbal’s lab solution ↩︎
–=⛧⛧⛧=– About the author: Michael Fitzgerald is a penetration tester, post-apocalyptic parody author, and a mad scientist. –=⛧⛧⛧=–
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Filed under: Cybersecurity,Pentesting,PortSwigger Academy,XSS attack - @ March 5, 2024 8:42 pm