This lab contains a reflected cross-site scripting (XSS) vulnerability in the search blog functionality where angle brackets are HTML-encoded.
Perform a cross-site scripting attack that injects an attribute and calls the alert function.
Even if you manage to trigger alert() yourself, it might not execute in the victim’s browser. You may need to test with different attributes and event handlers until you find one that works reliably.
The application encodes < > characters, so direct injection with tags like <script> or <img> is not possible.
However, user input is being placed inside an HTML attribute, e.g.:
<input type="text" value="USER-INPUT">
This makes it possible to break out of the attribute value and inject a new attribute.
Inject an attribute with an event handler:
" onfocus="alert(1)
Alternative payload using mouse interaction:
" onmouseover="alert(1)
Once injected, the input field will contain an additional attribute. For example:
<input type="text" value="test" onfocus="alert(1)">