Reflected XSS into HTML context with nothing encoded

In this post we will walk step by step through how to solve Reflected XSS into HTML context with nothing encoded on PortSwigger. This lab’s difficulty is Apprentice and it is the first lab in the  Cross-Site Scriping labs on Portswigger.

Link to lab: https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded

To start the lab click the ‘Access the Lab’ button.

When we begin the lab we will be greeted with a blog page featuring a search field and a variety of blog posts. Don’t worry if the content differs from the screenshot; PortSwigger Labs can modify the content each time the lab is initiated.

To start our test let’s begin by using the ‘Search for blog’ field. Type ‘test’ into the search field and then click the ‘SEARCH’ button. This action will load the page with ‘test’ being reflected back and prominently displayed on the page.

To conduct a Cross-Site Scripting (XSS) test we can utilize the ‘alert’ function within script tags. Use the following payload:

<script>alert(1)</script>

Insert this payload into the search field and then click the ‘SEARCH’ button to test the payload.”

Upon executing the search we will notice the ‘alert’ function in action, displaying an alert with the number 1. This demonstrates a successful injection of JavaScript into the page.

By successfully executing JavaScript on the web page we’ve effectively solved the lab!

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod