This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked..
To solve the lab, perform a attack that injects a vector that, when clicked, calls the alert function.
Note that you need to label your vector with the word "Click" in order to induce the simulated lab user to click your vector. For example:
<a href="">Click me</a>
After accessing the lab, I initially tried to inject some HTML tags with scripts to test for XSS, but I encountered this error:
To determine if all tags were blocked, I sent the request to Burp Suite Intruder and added a payload marker around the tag. I then pasted a list of all tags from the XSS cheat sheet into the payload settings in the Payloads tab and launched the attack.
After launching the attack, I noticed a request with a 200 status code where the payload was svg. This indicated that the svg tag could be used. However, since event handlers and href attributes were blocked, I needed another approach. After some Googling and reading XSS cheat sheets, I found an interesting payload:
Here's a breakdown of this payload:
svg: Since this tag bypassed the filter, I used it.
animate: The payload uses the <animate> element to set the href attribute of the <a> tag to javascript:alert(1).
text: This displays "Click me" on the page.
When the SVG is rendered in the browser, it interprets the <animate> element's instruction to set the href attribute of the <a> element to javascript:alert(1). This trick bypasses the WAF's block on the href attribute. When a user clicks on the "Click me" text, the href attribute's value (javascript:alert(1)) is executed, triggering the JavaScript code and displaying an alert box with the message "1".
By injecting this payload into the search bar, I saw an alert box pop up, indicating that the lab was solved.