PortSwigger-Writeups

Lab: Reflected XSS into Attribute with Angle Brackets HTML-Encoded

Lab Difficulty: Apprentice

Topic: Cross-Site Scripting (Reflected)

1. Objective

The objective of this lab is to perform a Cross-Site Scripting (XSS) attack on a blog website. The specific challenge involves injectinv JavaScript into a context where angle brackets (< and >) are HTML-encoded by the application, preventing the use of standard HTML tags like <script>.

2. Reconnaissance & Analysis

Initial Probe

We began by injecting a standard “Canary” string to identify where our input is reflected in the application response. Using the search function, we inputted a standard alphanumeric string test123.

Observation: The input is reflected in two locations within the HTML response:

1. Inside an <h1> heading tag.

2. Inside the value attribute of an <input> tag.

Mapping the filter

To test the application’s sanitation mechanisms, we injected a standard XSS payload: <script>alert(1)</script>.

Observation: The application effectively neutrailsed this payload by HTML- encoding the angle brackets(< becomes < and > becomes >).

• Reflection in <h1>: <script> became <script>.

• Reflection in <input>: value="<script>...".

This confirms that we cannot break out of the HTML tag context to create new tags. We must work within the existing attributes.

3. Vulnerability Identification

While angle brackets are encoded, we hypothesized that double quotes (“) might not be. If the application fails to encode double quotes inside the value attribute, we can break out of that attribute and inject our own event handlers.

The Strategy:

1. Break Out: Use a double quote " to close the value attribute.

2. Inject Attribute: Add a new event handler attribute (e.g., onmouseover, onfocus) to the <input> tag.

3. Trigger: Since the challenge requires automatic execution, onfocus combined with autofocus is the optimal choice.

4. Cleanup: Add a dummy attribute (e.g., x=") to gracefully handle the trailing double quote generated by the server.

4. Exploitation

We constructed the following payload to test the hypothesis:

" autofocus onfocus=alert(1) x="

Payload Breakdown:

• ": Closes the value attribute of the input tag.

• autofocus: Automatically focuses the cursor on this input field when the page loads.

• onfocus=alert(1): The JavaScript event handler that executes when the element receives focus.

• x=": A dummy attribute that absorbs the final closing quote of the HTML tag, preventing syntax errors.

Execution: we sent this payload via the search parameter. Inspecting the response in Burp Suite confirmed that the double quotes were not encoded, and our attributes were successfully injected into the HTML structure.

5. Proof of Concept

Upon loading the URL with the injected payload in the browser, the autofocus attribute triggered the focus event immediately, causing the onfocus handler to execute the alert() function.

6. Conclusion

The application correctly encoded angle brackets to prevent HTML tag injection but failed to encode double quotes within an HTML attribute context. This allowed an attacker to break out of the value attribute and inject malicious event handlers, leading to successful Cross-Site Scripting.

Remediation: Ensure that all user input reflected inside HTML attributes is properly encoded. Specifically, double quotes (“) should be converted to " to prevent attribute breakout.