Stored XSS in Anchor href Attribute- PostSwigger Lab Walkthrough

Hacker2255Hacker2255
2 min read

Introduction

Cross-Site Scripting (XSS) is a common web vulnerability that allows attackers to inject malicious JavaScript into web pages. This can lead to session hijacking, data theft, or even full account takeovers.

In this blog, I will walk you through PostSwigger’s Stored XSS lab, where the vulnerability exists in an anchor (<a>) tag’s href attribute. We will exploit it and discuss how to prevent such attacks.

Lab Description

This lab contains a Stored XSS vulnerability in the comment section of a web application.

  1. When a user submits a comment, their username is embedded inside an <a> tag’s href attribute.

  2. The application encodes double quotes (“) but still allows JavaScript execution.

  3. The goal is to execute alert(1) when the author’s name is clicked.

Analyzing the Vulnerability

  1. Submit a test comment with some basic HTML, such as:

    <script>alert(1)</script>

  2. This will not work because script tags are sanitized.

  3. Instead, the user input is placed inside an anchor (<a>) tag’s href attribute*:*

    <a href=”user_INPUT”>Author Name</a>

  4. This means we can inject JavaScript using the javascript: protocol inside href.

Crafting the XSS Payload

To execute JavaScript when the link is clicked, we use:

javascript:alert(1)

However, some web application encode : into %3A, so we use the encoded version:

javascript%3Aalert(1)

Steps to Solve the Lab

  1. Go to the comment section of the lab.

  2. Post a comment with the following payload:

    <a href=”javascript:alert(1)”>Click me</a>

  3. Submit the comment and reload the page.

  4. Click on the author’s name (which is now a link).

  5. An alert box pops up, proving the XSS is executed!.

After click on Post comment and clicked on author’s name we get:

Security Mitigation

To prevent such vulnerabilities, developers should:

  1. Sanitize input: Remove dangerous schemes like javascript: from href attributes.

  2. Use Content Policy(CSP): Block inline JavaScript execution.

  3. Escape user input: Ensure untrusted input is properly encoded before rendering in the DOM.

Conclusion

Stored XSS vulnerabilities can have severe security implications if left unchecked. This lab demonstrates how improper input handling inside an anchor’s href attribute can lead to an exploit.

To stay secure, always validate and escape user input!.

0
Subscribe to my newsletter

Read articles from Hacker2255 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#Stored-XSS

Written by

Hacker2255
Hacker2255