0

I am testing a reflected XSS vulnerability on the following URL parameter:

https://public-firing-range.appspot.com/reflected/url/css_import?q=payload

When I test with JavaScript payloads such as:

javascript:alert(1)

or the payloads generated by XSStrike, no pop-up appears in the browser.

After inspecting the source code of the page, I found it looks like this:

<html>
  <head>
    <link rel="stylesheet" href="payload" />
  </head>
  <body>
  </body>
</html>

It seems that the parameter q is directly injected into the href attribute of a tag.

How can I solve it?

Improve this question
1
  • Look up CSS injection. Based on the project home page, it seems the site is meant for testing automated scanners, so this would be something a scanner should flag. In this case, solving it doesn't mean popping an alert box. Commented Jun 7 at 14:30
Related questions
0
XSS vulnerability stuck
3
How is HTML injection possible in this domxss.com challenge
0
Is this considered DOM-XSS or self-XSS or both?
Load 1 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.