LAB 8 - Stored XSS into anchor href attribute with double quotes HTML-encoded

Initial instructions

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

To complete this lab I used the following XSS payload.

javascript:alert(1)

So I entered this payload into the Website section and clicked post comment.

Then we can trigger the XSS by clicking, if we do hovering we will see the website goes to javascript:alert(1) which means it will trigger the XSS.

Congratulations, you solved the lab!