Task
This lab reflects user input in a canonical link tag and escapes angle brackets.
To solve the lab, perform a cross-site scripting attack on the home page that injects an attribute that calls the alert
function.
To assist with your exploit, you can assume that the simulated user will press the following key combinations:
ALT+SHIFT+X
CTRL+ALT+X
Alt+X
Please note that the intended solution to this lab is only possible in Chrome.
Attempt
The website reflects a request url directly into the href
attribute of the <link rel="canonical">
tag without escaping.
So you can use a payload like this:
https://https://0aa1003c0440c57680f20d8600820079.web-security-academy.net/?%27accesskey=%27x%27onclick=%27alert(1)
Here acesskey
attribute specifies a shortcut key. In Chrome on linux, you can press Alt+X
and it will trigger alert(1)
.