Reflected XSS into Attribute with Angle Brackets HTML-Encoded- Walkthrough

Hacker2255Hacker2255
2 min read

Introduction

Cross-Site Scripting (XSS) is a common web vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. In this walkthrough, we will solve the PortSwigger’s “Reflected XSS into attribute with angle brackets HTML-encoded” lab.

Lab Description

This lab contains a reflected XSS vulnerability in the search blog functionality. The challenge is that angle brackets(< and >) are HTML-encoded, which prevents direct injection of a <script> tag. However, we can still inject malicious attributes into existing elements.

Understanding the Vulnerability

  1. The search query is reflected in the page’s source code inside an HTML attribute.

  2. Single angle brackets are encoded, traditional payloads like <script>alert(1)</script> won’t work.

  3. Instead, we can break out of an attribute and inject an event handler such as onmouseover, onfocus, or onload.

Finding the Injection Point

  1. Enter a test payload like test” into the search box.

  2. Inspect the reflected response in View Source or Developer Tools.

  3. If our input is an attribute like <input value=”test”>, we can try breaking out of it.

we get as output:

we didn’t get any error. So, we try other payloads.

Crafting the Payload

Since angle brackets are encoded, we cannot use <script>. However, we can use:

“ onmouseover=”alert(1)

This closes the existing attributes and adds an event that triggers an alert box.

Final Exploit

In Search bar give this payload:

“ onmouseover=”alert(1)

When you hover over the injected element, the alert(1) function will execute, proving the vulnerability.

Mitigation

To prevent this type of XSS:

  1. Use proper attribute encoding (e.g., &quot ; for “, &gt ; for>, &lt ; for <).

  2. Implement Content Security Policy (CSP).

  3. Use input validation and sanitization.

Conclusion

This lab demonstrates how reflected XSS can still be exploited even when angle brackets are encoded. Understanding these scenarios helps in both attacking and securing web applications.

0
Subscribe to my newsletter

Read articles from Hacker2255 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#Reflected-XSS

Written by

Hacker2255
Hacker2255