Burp Suite Academy Lab – Reflected XSS into attribute with angle brackets HTML-encoded

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.


Checking BurpSuite Academy for Cross-Site Scripting, we find that if angle brackets are blocked or encoded, the input you won’t be able to break out of the tag in which it appears, so we can try other possibilities as an event.

As we can observe we can properly escaped from the block and we have added an event to the input tag that when the mouse move over the element, the alert function will be executed.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *