Burp Suite User Forum

XSS contexts / XSS in HTML tag attributes

Dany | Last updated: Jan 06, 2020 01:12PM UTC

Hello. I am learning about XSS as you can see, and I can’t understand a little bit about that scriptable context: " autofocus onfocus=alert(document.domain) x=" , I understand what autofocus and onfocus do, but I have no idea about first quote --> " , and last part of this script, --> x=" . What are they for? There's explanation of this script: "The above payload creates an onfocus event that will execute JavaScript when the element receives the focus, and also adds the autofocus attribute to try to trigger the onfocus event automatically without any user interaction. Finally, it adds x=" to gracefully repair the following markup." What does x=" repair? Can someone please help me because I'm trying to figure out what is happening but I don't understand, please!

Hannah, PortSwigger Agent | Last updated: Jan 06, 2020 01:38PM UTC

The first quote mark is there to terminate the attribute value. For example: <h1 href="user input">. If the user inputs a ", this allows them to terminate the attribute tag early. They can then add another attribute tag, that can perform a function (see Lab: Reflected XSS into attribute with angle brackets HTML-encoded). This will still leave the closing quote tag for the original attribute value. Therefore, if we leave that it could cause an error to occur. In the case shown above, we add in x=" in order to prevent an error from occurring, and so repair the markup. So in our case, we would have <h1 href="" autofocus onfocus=alert(document.domain) x="">

Burp User | Last updated: Jan 07, 2020 10:21AM UTC

Thank you very much!! Now it's more clear for me!!

You need to Log in to post a reply. Or register here, for free.