You are currently viewing Reflected XSS with event handlers and href attributes blocked

Reflected XSS with event handlers and href attributes blocked

Introduction to Reflected XSS with event handlers and href attributes blocked

Reflected Cross-Site Scripting (XSS) with event handlers and href attributes blocked is a web security vulnerability where untrusted user input is not properly sanitized or validated, leading to malicious script execution. Web developers block these attributes to prevent script execution. However, inadequate input validation or sanitization can allow attackers to bypass these measures, resulting in unauthorized actions, data theft, or compromised user accounts. To mitigate this vulnerability, developers should implement rigorous input validation and output encoding practices. Prioritizing web security, secure coding practices, and regular security audits help minimize the risk of XSS vulnerabilities, protecting web applications, user data, and maintaining a secure online environment.

Lab Solutions | Practical Work Time XSS with event handlers

This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked..

To solve the lab, perform a cross-site scripting attack that injects a vector that, when clicked, calls the alert function.

Note that you need to label your vector with the word “Click” in order to induce the simulated lab user to click your vector. For example: <a href="">Click me</a>

Stepwise Solution of the lab:-

After accessing this lab, we first noticed it has “Search” functionality and you can see there are lots of posts. (Scroll down a little bit)

But here we have nothing to do with those things. We will directly jump on URL. And inject this below payload.


After putting a ” / ” I simply wrote the payload. Now press enter and let’s see what will happen.

BOOM! We’ve solved this lab successfully.

Here you can see a button named Click me. So yeah click on it and let’s see what will happen.

Well, we got a prompt or you can say Reflected XSS (Cross-site Scripting).

Be ready for its other parts 🙂

I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: Reflected XSS in a JavaScript URL with some characters blocked, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.


What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Reply