On this page

April 28, 2026apsyleg1 min read

#portswigger #xss #template-literal #javascript #web-security

Reflected XSS in a Template Literal

Lab

Reflected XSS into a JavaScript template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped · Practitioner

Reconnaissance

The search input string reflects into JavaScript code. Template literal syntax is used — injection via ${} is possible.

Exploitation

Final payload:

${alert(25)}

Lab solved.

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)

Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.