LAB - 1

Reflected XSS into HTML context with nothing encoded

About
- This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.
- To solve the lab, perform a cross-site scripting attack that calls the alert function.

(a) Lab Setup Page

(b) Search

<script>alert(1)</script>

LAB - 2

Reflected XSS into HTML context with nothing encoded

About
- This lab contains a stored cross-site scripting vulnerability in the comment functionality.
- To solve this lab, submit a comment that calls the alert function when the blog post is viewed.

(a) Lab Setup Page

Select : View Post

Add a Comment

<script>alert(1)</script>

Add NAME, EMAIL, WEBSITE

Post Comment

Go back to the Blog

Comments

LAB - 3

DOM XSS in `document.write` sink using source `location.search`

About
- This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality.
- It uses the JavaScript document.write function, which writes data out to the page.
- The document.write function is called with data from location.search, which you can control using the website URL.
- To solve this lab, perform a cross-site scripting attack that calls the alert function.

(a) Entering a Random Alpha-Numeric String in the Search

String : vnanditha1234
In the INSPECT : <img src="/resources/images/tracker.gif?searchTerms=vnanditha1234">

(b) Now Open Burp Suite

Open Browser
Paste the link
Turn ON Intercept
Send to Repeater

(c) Add the following to the Code

"><svg onload=alert(1)>

(d) In Website

LAB - 4

DOM XSS in innerHTML sink using source location.search

About
- This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality.
- It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.
- To solve this lab, perform a cross-site scripting attack that calls the alert function.

(a) Search

<img src=1 onerror=alert(1)>

SOLVED

LAB - 5

DOM XSS in jQuery anchor href attribute sink using location.search source

About
- This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page.
- It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.
- To solve this lab, make the back link alert document.cookie.

(a) Submit Feedback Page

On the Submit feedback page, change the query parameter returnPath to / followed by a random alphanumeric string.

Check the Inspect : vnanditha1234 will be placed inside the href attribute.

(b) Change returnPath

javascript:alert(document.cookie)

Hit back

We get the Alert Message

SOLVED

LAB - 6

DOM XSS in jQuery selector sink using a hashchange event

About
- This lab contains a DOM-based cross-site scripting vulnerability on the home page.
- It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.
- To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

(a) Lab Set up

Select : Go to Exploit Server

(b) Store & View Exploit

In the Body section, add the following malicious iframe :
- <iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>

STORE THE EXPLOIT

Click View exploit to confirm that the print() function is called.

We can Observe that the Print Function is being called.

SOLVED

LAB - 7

Reflected XSS into attribute with angle brackets HTML-encoded

About
- This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded.
- To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

(a) Search some Alpha Numeric String and use Burp

Send to Repeater

Replace the input with the following payload to escape the quoted attribute and inject an event handler:
- "onmouseover="alert(1)

SOLVED

LAB - 8

Stored XSS into anchor href attribute with double quotes HTML-encoded

About
- This lab contains a stored cross-site scripting vulnerability in the comment functionality.
- To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

(a) Lab Set up

LAB - 9

Reflected XSS into a JavaScript string with angle brackets HTML encoded

LAB - 10

DOM XSS in document.write sink using source location.search inside a select element

LAB - 11

DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

LAB - 12

Reflected DOM XSS

LAB - 13

Stored DOM XSS

LAB - 14

Reflected XSS into HTML context with most tags and attributes blocked

LAB - 17

Reflected XSS in canonical link tag

About
- This lab reflects user input in a canonical link tag and escapes angle brackets.
- To solve the lab, perform a cross-site scripting attack on the home page that injects an attribute that calls the alert function.
- To assist with your exploit, you can assume that the simulated user will press the following key combinations:
  - ALT+SHIFT+X
  - CTRL+ALT+X
  - Alt+X
- Please note that the intended solution to this lab is only possible in Chrome.

(a) Open Burp Chrome Browser

Visit the following URL, replacing YOUR-LAB-ID with your lab ID
- https://YOUR-LAB-ID.web-security-academy.net/?%27accesskey=%27x%27onclick=%27alert(1)

SOLVED

Cross ‐ Site Scripting - NANDITHA90/PortSwigger-LABS GitHub Wiki

LAB - 1

Reflected XSS into HTML context with nothing encoded

LAB - 2

Reflected XSS into HTML context with nothing encoded

LAB - 3

DOM XSS in `document.write` sink using source `location.search`

LAB - 4

DOM XSS in innerHTML sink using source location.search

LAB - 5

DOM XSS in jQuery anchor href attribute sink using location.search source

LAB - 6

DOM XSS in jQuery selector sink using a hashchange event

LAB - 7

Reflected XSS into attribute with angle brackets HTML-encoded

LAB - 8

Stored XSS into anchor href attribute with double quotes HTML-encoded

LAB - 9

Reflected XSS into a JavaScript string with angle brackets HTML encoded

LAB - 10

DOM XSS in document.write sink using source location.search inside a select element

LAB - 11

DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

LAB - 12

Reflected DOM XSS

LAB - 13

Stored DOM XSS

LAB - 14

Reflected XSS into HTML context with most tags and attributes blocked

LAB - 17

Reflected XSS in canonical link tag

⚠️ GitHub.com Fallback ⚠️

Cross ‐ Site Scripting - NANDITHA90/PortSwigger-LABS GitHub Wiki

LAB - 1

Reflected XSS into HTML context with nothing encoded

LAB - 2

Reflected XSS into HTML context with nothing encoded

LAB - 3

DOM XSS in document.write sink using source location.search

LAB - 4

DOM XSS in innerHTML sink using source location.search

LAB - 5

DOM XSS in jQuery anchor href attribute sink using location.search source

LAB - 6

DOM XSS in jQuery selector sink using a hashchange event

LAB - 7

Reflected XSS into attribute with angle brackets HTML-encoded

LAB - 8

Stored XSS into anchor href attribute with double quotes HTML-encoded

LAB - 9

Reflected XSS into a JavaScript string with angle brackets HTML encoded

LAB - 10

DOM XSS in document.write sink using source location.search inside a select element

LAB - 11

DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

LAB - 12

Reflected DOM XSS

LAB - 13

Stored DOM XSS

LAB - 14

Reflected XSS into HTML context with most tags and attributes blocked

LAB - 17

Reflected XSS in canonical link tag

⚠️ **GitHub.com Fallback** ⚠️

DOM XSS in `document.write` sink using source `location.search`

⚠️ GitHub.com Fallback ⚠️