07 Lab: Reflected XSS into attribute with angle brackets HTML-encoded

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

Verificamos que el input que ingresamos, se refleja en el titulo de la busqueda

Por ende, probamos con estos payloads

"onmouseover="alert(1)

https://0a410097038d61b2832f8bee000a009e.web-security-academy.net/?search="onmouseover%3D"alert(1)

Previous06 Lab: DOM XSS in jQuery selector sink using a hashchange event Next08 Lab: Stored XSS into anchor href attribute with double quotes HTML-encoded

Last updated 1 year ago