Advance XSS Lab by @touhidshaikh22 | Level 8: Script Breakout

Level 8: Script Context Breakout

MISSION: The server securely JSON-encodes your input, preventing quote breakouts. But is JSON-encoding enough when the data is placed directly inside an HTML <script> block?

Welcome back,

/// SOURCE CODE INSPECTOR ///


// Backend Node.js
let payload = req.query.payload || "Guest";

// The developer uses JSON.stringify to "safely" pass data to the frontend.
// JSON.stringify handles quotes correctly, but it DOES NOT escape HTML tags 
// like <script> or </script>.
const injectedScript = `<script>
    const userData = ${JSON.stringify(payload)};
    document.getElementById('user-display').innerText = userData;
</script>`;

[?] DECRYPT CLASSIFIED INTEL (SOLUTION)

/// DECRYPTION COMPLETE ///

JSON.stringify() is safe against string breakouts (like injecting a single quote), but it does not encode angle brackets by default. Because the payload is placed directly inside a <script> block, the HTML parser processes the closing script tag before the JS engine runs.

Payload:

</script><script>alert(1)</script>

[ADVANCE XSS LAB]

Level 8: Script Context Breakout

/// DECRYPTION COMPLETE ///