📌 Info

This lab contains a reflected cross-site scripting (XSS) vulnerability in the search query tracking functionality.

Angle brackets < > are HTML-encoded, but the reflection occurs inside a JavaScript string.

🎯 Goal

Perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.

⚠️ Vulnerability

• The search term is reflected inside JavaScript code, e.g.:

  var q = 'USER-INPUT';
  
  

• Because the input is inside quotes, injecting HTML tags will not work (<script>...</script>).

• Instead, we must break out of the JavaScript string using quotes and inject our payload.

🛠️ Exploitation Steps

1. Submit a random alphanumeric string in the search box (e.g., abc123).

2. Using Burp Suite Repeater, observe that it is reflected in the response:

   var q = 'abc123';
   
   

3. Replace the input with the payload:

   '-alert(1)-'
   
   

4. The response becomes:

   var q = ''-alert(1)-'';
   
   

   • First ' closes the string.
   • alert(1)- is executed as JavaScript.
   • Final ' reopens/closes to keep the script valid.

   

5. Copy the crafted URL, paste it in the browser, and load the page.

6. An alert(1) popup is triggered → exploit successful. ✅