You are currently viewing Reflected XSS in a JavaScript URL with some characters blocked

Reflected XSS in a JavaScript URL with some characters blocked

Introduction to Reflected XSS in a JavaScript URL with some characters blocked

Reflected Cross-Site Scripting (XSS) in a JavaScript URL with blocked characters is a web security vulnerability where untrusted user input is not properly sanitized or validated. To mitigate this risk, JavaScript URLs can be used directly in the browser’s address bar or HTML attributes. However, if input validation is inadequate, attackers can bypass restrictions and inject malicious scripts, leading to unauthorized actions, data theft, and compromised user accounts. To minimize this vulnerability, web developers should implement comprehensive input validation and output encoding practices, prioritize web security, follow secure coding practices, and conduct regular security audits.

Lab Solutions | Practical Work Time XSS in a JavaScript URL

This lab reflects your input in a JavaScript URL, but all is not as it seems. This initially seems like a trivial challenge; however, the application is blocking some characters in an attempt to prevent XSS attacks.

To solve the lab, perform a cross-site scripting attack that calls the alert function with the string 1337 contained somewhere in the alert message.

Stepwise Solution of the lab:-

After accessing the lab you can see there are lots of posts. (Scroll down a little bit)

But here we have nothing to do with those things. We will directly jump on URL. And inject this below payload.


After putting a ” / ” I simply wrote the payload. Now press enter and let’s see what will happen.

Well! We’ve successfully solved this lab.

Scroll down until the end. Here we found a button called Back to Blog. Click on it.

Well, we got a prompt or you can say Reflected XSS (Cross-site Scripting).

Be ready for its other parts 🙂

I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: Reflected XSS with AngularJS sandbox escape without strings, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.


What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Reply