- Submit a random alphanumeric string in the search box, then use Burp Suite to intercept the search request and send it to Burp Repeater.
Try sending the payload
test'payloadand observe that your single quote gets backslash-escaped, preventing you from breaking out of the string.
Replace your input with the following payload to break out of the script block and inject a new script:
- Verify the technique worked by right clicking, selecting "Copy URL", and pasting the URL in the browser. When you load the page it should trigger an alert.