You are currently viewing Stored XSS into anchor href attribute with double quotes HTML-encoded

Stored XSS into anchor href attribute with double quotes HTML-encoded

Introduction to Stored XSS into anchor href attribute with double quotes HTML-encoded

In Stored XSS into anchor href attribute with double quotes HTML-encoded, Stored Cross-Site Scripting (XSS) is a web security vulnerability where malicious scripts or code are injected into a website’s href attribute, potentially compromising security and user data. To prevent XSS, website developers must validate user input, sanitize user-generated content, and implement robust security measures. Prioritizing web security and implementing robust measures can significantly reduce the risk of XSS attacks and protect sensitive information.

Lab Solutions | Practical Work Time Stored XSS into anchor href

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

Stepwise Solution of the lab:-

Hope you accessed the lab, Have a look at the posts.

Here, I chose this post so let’s click on ‘view post’. [The title might be shown different from my lab, so choose any of it]

Scroll down, You can see here we can comment. As they provided the section.

To understand its functionality that can lead Stored XSS (Cross-Site Scripting). We had to see by using some simple text and posting it.

So, yeah just posted the comment click on ‘Back to blog’

Guys have a look carefully, you can see as we put the site or whatever that it showing it in ‘href' tag. And if you click on “Fake Name” it will redirect you to the site you put. So Now we will use our brain and instead of putting any site URL we will be using a payload.


Let’s post this comment and see what will happen.

Well, the lab has been solved. But it’s not finished yet. Let’s understand what actually happened so for that we have to click ‘Back to blog’

So here in the 'href' tag we found the payload we put. Right? Let’s click on the ‘Name’ and see its work. [I put Name as of it so don’t be confused click on yours that you’ve put the name]

So yeah, it’s working as Stored XSS (Cross-site scripting).
Hope you got how its functionality works and the whole concept of this lab. 🙂

Stay tuned for upcoming labs and keep continuing the series.

I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: Reflected XSS into a JavaScript string with angle brackets HTML encoded, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.


What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Reply