Portswigger Academy — Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped — Write-up

In this write-up I will be showing my thought process behind solving the aforementioned Portswigger Academy challenge. DISCLAIMER! This write-up contains the answer to the challenge, so if you are here for hints, watch out:)

To start off, we get to know from the description that it is the search functionality that is vulnerable, so we have our attack vector. To test it, I simply supplied a unique string, like 'alan' and looked at the DOM.

var searchTerms = 'alan';
document.write('<img src="/resources/images/tracker.gif?searchTerms='+encodeURIComponent(searchTerms)+'">');

Inside the DOM I found this piece of client-side JavaScript that reflects our search term. To solve this lab, I had to break out of this string and write my own code that would fire a XSS payload.

First thing that comes to mind here, is to simply put a single quote in front " 'alan", but this is how the code reacts:

var searchTerms = '\'alan';

It escapes the single quote by using backslash making it an legitimate character in the string. This is what the title meant when saying "single quotes escaped". Now, as my second input, I wanted to try and input a backslash myself with the single quote, " \'alan", and this is how the code reacted:

var searchTerms = '\\'alan';

In the code above we can see that out backslash didn't get escaped, and since the code tried to escape the single quote, we get two backslashes. This means that our backslash escapes the other one, and making it a legitimate character, letting our single quote do it's job with breaking out of the string.

There are a couple of other things we have to consider before we can fire an alert. We have to terminate that JavaScript line using semicolon, and we have to comment out the trailing single quote, since it could disrupt our alert. With this in mind, this is how my final input that solved the lab looked like: " \'alert(1)// ", and here is it inside the JavaScript code:

var searchTerms = '\\';alert(1)//';

Thank you for taking the time to read this write-up! This is one of my first stories here on Medium, although maybe some time has passed and you are reading this at a later date, but do make sure to check out the few others that I have posted.