Stored XSS into anchor href attribute with double quotes HTML-encoded
Description
The website in this lab contains a stored cross-site scripting vulnerability in the comment functionality.
Reproduction and proof of concept
Post a comment with a random alphanumeric string in the “Website” input, then use Burp Suite to intercept the request and send it to Burp Repeater.
Make a second request in the browser to view the post and use Burp Suite to intercept the request and send it to Burp Repeater.
The random string in the second Repeater tab has been reflected inside an anchor
hrefattribute.Repeat the process again, replacing the input with a payload to inject a JavaScript URL that calls alert:
javascript:alert(1)
Verify the technique worked by right-clicking, selecting Copy URL, and pasting the URL in the browser. Clicking the name above the comment should now trigger an alert.