On this page
Reflected XSS with Most Tags and Attributes Blocked
Lab
Reflected XSS into HTML context with most tags and attributes blocked · Practitioner
Solution
From the lab description we figure we'll probably need Burp Intruder to try to find a tag outside the WAF filters. Throw <svg> into the search field at random — "Tag is not allowed".
OK, copy the request into Intruder, set the variable on the value of the search parameter. Head to the PortSwigger cheatsheet, Copy tags to clipboard, paste those 143 tags into the payloads field. Go.
Our candidates — xss and body.
Okay, let's try to find allowed attributes on body.
In the cheatsheet find body, Copy events to clipboard. Add to Intruder. Tweak the payload a bit:
GET /?search=<body §> HTTP/2
Interesting candidate: onresize.
Let's build the payload from an iframe + change its width on onload. That triggers the onresize event on the body we inject.
OK, first version of the payload:
<iframe src="https://0af40062043186e8833af680009500e2.web-security-academy.net/?search=<body onresize=print()>" onload=this.width=100>
Deliver this payload via the exploit server.
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.