0

I'm a total beginner and im trying to solve Portswigger Academy labs. I'm studying on XSS right now and im stuck in somewhere.

Lab Details:This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.** To solve this lab, create an injection that calls the alert() function.//

So, there is a JSON file on the lab and it escapes quotation marks. There is something like this in response:

{"results":[],"searchTerm":"test"}

and to espace this I've done this:

GET /search-results?search=\"alert(1)}//

and response turns to this:

"results":[],"searchTerm":"\\" alert(1)}//"}

and everything is ok. I escaped the quotation marks. I've thought that if I enter the \"alert(1)}// term on searchbox i can solve the lab, but it doesnt work. The only way to solve this lab is \"+alert(1)}// or \"-alert(1)}//

But why do we need this + and - symbols?

UndercoverDog
  • 612
  • 2
  • 17
kgngkbyrk
  • 3
  • 1

1 Answers1

0

That is because you are in the context of a string inside a JavaScript object. So you need to keep the string in a correct format for the payload to execute. By including the + or - you make sure the string does not break.

Plus is a proper way to concatenate strings. Concatenating a string with a void function results in the string "undefined" being added to the original and is therefor a valid statement.

Dash or minus does a subtraction from the string, which in JavaScript results in NaN and is therefore allowed too.

Christiaan
  • 106
  • 7