Reflected XSS into a JavaScript string with angle brackets HTML encoded

Description

The website in this lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. Also see the HackTricks XSS page, in the section on Inside JavaScript code.

Reproduction and proof of concept

  1. Put a random alphanumeric string in the search box, then use Burp Suite to intercept the search request and send it to Burp Repeater.

<script>
    var searchTerms = '&lt;alphanumeric';
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');
</script>

  1. The random string has been reflected inside a JavaScript string: The script accepts input, assigns it to the variable searchTerms, and does a document.write with the encoded URL using encodeURIComponent.

  2. Replace the input with this payload to break out of the JavaScript string and inject an alert:

'-alert('XSS')-'

Reflected XSS