LAB 28 - Reflected XSS in a JavaScript URL with some characters blocked

Initial instructions

This lab reflects your input in a JavaScript URL, but all is not as it seems. This initially seems like a trivial challenge; however, the application is blocking some characters in an attempt to prevent XSS attacks.

To solve the lab, perform a cross-site scripting attack that calls the alert function with the string 1337 contained somewhere in the alert message.

To solve this lab I used the following XSS payload.

&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'

Where we need to inject this payload is to any random post in the website and inject it in the url.

Congratulations, you solved the lab!