Reflected XSS into attribute with angle brackets HTML-encoded

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encoded

Let's insert the following payload in the search field:

test_payload

We can now open Left CLick > Inspect to open the developer tools and search our payload.

We can see that our test_payload has been inserted into the value attribute of the <input> tag.

In order to generate an alert, we need to first escape the value attribute and than add an onmouseover event attribute.

test_payload" onmouseover="alert(1)

The alert will be displayed only when we hover over the input field with our mouse.

We have solved the lab.

Last updated 2 years ago