Cross-site scripting – Stored XSS into anchor href attribute with double quotes HTML-encoded | PortSwigger Lab Note #2

#cybersecurity #javascript #security #tutorial

target：

Lab URL:
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded
Tools Used:

browser
Burp suite

Vulnerability Summary：

Type:

Stored XSS

Description:

Steps to Exploit：

1.Determine that this is a stored XSS vulnerability because the input does not appear directly in the response.

2.Check the page source and find that the user-supplied website value is reflected inside the href attribute.

3.Inject a payload such as javascript:alert(1) into the href attribute to trigger the XSS.

Remediation：

The application should implement proper context-aware output encoding to prevent user-supplied data from being interpreted as executable code. All inputs must be safely encoded before being rendered in the browser.

Additionally, input validation should be enforced to block dangerous patterns such as "javascript:" URLs. The use of secure frameworks with built-in XSS protection and the implementation of a Content Security Policy (CSP) are recommended to further reduce risk.

Lessons Learned：

This lab shows that XSS can occur in attribute contexts such as href, even when double quotes are HTML-encoded. By analyzing where user input is placed in the HTML structure, attackers can craft context-specific payloads like javascript: URLs to trigger execution. Proper defenses should include context-aware output encoding and validation of dangerous URI schemes.