I'm a total beginner and im trying to solve Portswigger Academy labs. I'm studying on XSS right now and im stuck in somewhere.
Lab Details:This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.** To solve this lab, create an injection that calls the alert() function.//
So, there is a JSON file on the lab and it escapes quotation marks. There is something like this in response:
{"results":[],"searchTerm":"test"}
and to espace this I've done this:
GET /search-results?search=\"alert(1)}//
and response turns to this:
"results":[],"searchTerm":"\\" alert(1)}//"}
and everything is ok. I escaped the quotation marks. I've thought that if I enter the \"alert(1)}//
term on searchbox i can solve the lab, but it doesnt work. The only way to solve this lab is
\"+alert(1)}// or \"-alert(1)}//
But why do we need this +
and -
symbols?