This lab reflects user input in a canonical link tag and escapes angle brackets.
To solve the lab, perform a cross-site scripting attack that injects an attribute that calls the
To assist with your exploit, you can assume that the simulated user will press the following key combinations:
Please note that the intended solution to this lab is only possible in Chrome.
Visit the following URL, replacing
your-lab-id with your lab ID:
This sets the
X key as an access key for the whole page. When a user presses the access key, the
alert function is called.
To trigger the exploit on yourself, press one of the following key combinations: