Write-up: Reflected XSS into HTML context with nothing encoded @ PortSwigger Academy

This write-up for the lab Reflected XSS into HTML context with nothing encoded is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Client-side topics → Cross-site scripting

Lab: Reflected XSS into HTML context with nothing encoded | Web Security Academy

Python script: script.py

Lab description

Steps

As usual, the first step is to analyze the application. In this case, it is the blog website with search functionality.

When searching for a term, it is reflected back in the result:

This behavior can cause issues if the search string is not sanitized correctly.

I try by including simple HTML tags within my search input. These tags are embedded into the HTML source of the response without any escaping:

The most trivial XSS is to simply use <script> tags within the search term and hope that they, too, are embedded in the HTML:

Sure enough, this raises the alert box confirming the XSS vulnerability on the domain:

At the same time, the lab updates to

Originally published at https://github.com.

New to Medium? Become a Medium member to access all stories on the platform and support me at no extra cost for you!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!