07 - Reflected XSS into attribute with angle brackets HTML-encoded

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

" onfocus="alert('lol')" autofocus

There is a backlink in the url with the parameter name - returnPath , which is getting called when user go back. We can call javascript protocol to run a alert function. payload would be - javascript:alert(document.cookie)

(in my case aler(1) also worked)

click on back

Lab solved -

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell