- This lab reflects user input in a canonical link tag and escapes angle brackets.
-
Visit the following URL, replacing
YOUR-LAB-IDwith your lab ID:https://YOUR-LAB-ID.web-security-academy.net/?%27accesskey=%27x%27onclick=%27alert(1)This sets the
Xkey as an access key for the whole page. When a user presses the access key, thealertfunction is called. -
To trigger the exploit on yourself, press one of the following key combinations:
- On Windows:
ALT+SHIFT+X - On MacOS:
CTRL+ALT+X - On Linux:
Alt+X
- On Windows: