Reflected XSS with some SVG markup allowed

Description

This lab has a simple reflected XSS vulnerability. The site is blocking common tags but misses some SVG tags and events.

To solve the lab, perform a cross-site scripting attack that calls the alert() function.

Approach

After accessing the lab, I initially tried to inject some HTML tags with scripts to test for XSS, but I encountered this error:

"Tag is not allowed"

To determine if all tags were blocked, I sent the request to Burp Suite Intruder and added a payload marker around the tag. I then pasted a list of all tags from the XSS cheat sheet into the payload settings in the Payloads tab and launched the attack.

GET /?search=<§tag§> HTTP/2
Host: 0a27007303e9820280059f9a00da0056.web-security-academy.net
Cookie: session=TGgBVFhEZuUiwMiBBbqu75diEgAAIuNO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

After launching the attack, I found out that image, text, svg, and animatetransform tags were allowed. I went back to the cheat sheet and found that svg and animatetransform could be used together to build a payload. To get the right event handler with them, I needed to brute-force that as well using Intruder. So I set up this request, copied the list of events from the cheat sheet, and launched the attack:

GET /?search=<svg><animatetransform%20§§> HTTP/2
Host: 0a27007303e9820280059f9a00da0056.web-security-academy.net
Cookie: session=TGgBVFhEZuUiwMiBBbqu75diEgAAIuNO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

After launching the attack, I saw that the onbegin event was allowed, so I built this final payload:

<svg><animatetransform onbegin=alert("hacked")>

After injecting that payload, I got an alert box, which solved the lab.

PreviousReflected XSS into HTML context with all tags blocked except custom ones NextReflected XSS in canonical link tag