Labs Covered

This write-up focuses on the following APPRENTICE-level labs from the PortSwigger Web Security Academy related to Cross-site scripting (XSS):

1 Reflected XSS into HTML context with nothing encoded

This lab demonstrates a reflected XSS vulnerability where no output encoding is performed in the HTML context.

2 Stored XSS into HTML context with nothing encoded

This lab shows how stored XSS can occur when user input is stored and later rendered without encoding.

3 DOM XSS in document.write sink using source location.search

This lab explores DOM-based XSS vulnerabilities via `document.write()` using URL query parameters as a source.

4 DOM XSS in innerHTML sink using source location.search

This lab shows DOM XSS occurring when `innerHTML` is assigned unsanitized URL parameter values.

5 DOM XSS in jQuery anchor href attribute sink using location.search source

This lab demonstrates DOM XSS by manipulating jQuery selectors that use anchor `href` attributes sourced from URL parameters.

6 DOM XSS in jQuery selector sink using a hashchange event

This lab shows how DOM XSS can be triggered through jQuery selectors reacting to the `hashchange` event.

7 Reflected XSS into attribute with angle brackets HTML-encoded

This lab explores reflected XSS where angle brackets are encoded but the payload still executes.

8 Stored XSS into anchor href attribute with double quotes HTML-encoded

This lab demonstrates stored XSS in anchor href attributes even when double quotes are encoded.

9 Reflected XSS into a JavaScript string with angle brackets HTML encoded

This lab shows how reflected XSS can occur inside JavaScript strings despite angle bracket encoding.

LAB 1 - Reflected XSS into HTML context with nothing encoded

Lab Description

Solution

There is a search functionality that takes the user input and uses it to generate the next HTML code.

Searching “<script>alert(1)</script>” you see the alert popping:

After alert pop lab will be solved

LAB 2 - Stored XSS into HTML context with nothing encoded

Lab Description

Solution

There is a functionality to post comments in each blog post:

If you check the blog post again you see the alert popping:

After alert pop lab will be solved

LAB 3 - DOM XSS in document.write sink using source location.search

Lab Description

Solution

There is a search function in “/?search=”:

In the source code we see the sink:

We can pop an alert with the payload:

"><script>alert(1)</script>

After alert pop lab will be solved

LAB 4 - DOM XSS in innerHTML sink using source location.search

Lab Description

Solution

There is a search function in “/?search=”:

In the source code we see the sink:

The HTML content of the searchMessage, a span HTML element, is generated from the content of the “search” GET parameter of the request. We can pop an alert with the payload:

<img src=x onerror=alert(1) />

After alert pop lab will be solved

LAB 5 - DOM XSS in jQuery anchor href attribute sink using location.search source

Lab Description

Solution

This is the sink in the “Submit Feedback” page:

And the url of the “Submit Feedback” page is https://0af5007903b0426b803b4e9100cb0023.web-security-academy.net/feedback?returnPath=/:

It is possible to use a Javascript url link


/feedback?returnPath=javascript:alert(document.cookie)

After alert pop lab will be solved

LAB 6 - DOM XSS in jQuery selector sink using a hashchange event

Lab Description

Solution

This is the problematic code in the Home page:

$(window).on('hashchange', function(){
    var post = $('section.blog-list h2:contains(' + decodeURIComponent(window.location.hash.slice(1)) + ')');
    if (post) post.get(0).scrollIntoView();
});