Reflected XSS into attribute with angle brackets HTML-encoded


The website in this lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded.

Also see the leads from HackTricks concerning XSS methodology and XSS Inside HTML tags attribute: 2. If you can escape from the attribute but not from the tag (-> is encoded or deleted), depending on the tag you could create an event that executes JS code:

Reproduction and proof of concept

  1. Put a random alphanumeric string in the search box, then use Burp Suite to intercept the search request and send it to Burp Repeater.

  2. The random string has been reflected inside a quoted attribute.

  3. Replace the input with a payload to escape the quoted attribute and inject an event handler:

" autofocus onfocus=alert(1) x="
  1. Verify the technique worked by right-clicking, selecting “Copy URL”, and pasting the URL in the browser. When you move the mouse over the injected element it should trigger an alert.

Reflected XSS

The resulting HTML:

<section class=blog-header>
    <h1>0 search results for '&quot; autofocus onfocus=alert(1) x=&quot;'</h1>