Reflected XSS with some SVG markup allowed
Description
This lab has a simple reflected XSS vulnerability. The site is blocking common tags but misses some SVG tags and events.
To solve the lab, perform a cross-site scripting attack that calls the alert()
function.
Approach
After accessing the lab, I initially tried to inject some HTML tags with scripts to test for XSS, but I encountered this error:
"Tag is not allowed"
To determine if all tags were blocked, I sent the request to Burp Suite Intruder and added a payload marker around the tag. I then pasted a list of all tags from the XSS cheat sheet into the payload settings in the Payloads tab and launched the attack.
GET /?search=<§tag§> HTTP/2
Host: 0a27007303e9820280059f9a00da0056.web-security-academy.net
Cookie: session=TGgBVFhEZuUiwMiBBbqu75diEgAAIuNO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...
After launching the attack, I found out that image
, text
, svg
, and animatetransform
tags were allowed. I went back to the cheat sheet and found that svg
and animatetransform
could be used together to build a payload. To get the right event handler with them, I needed to brute-force that as well using Intruder. So I set up this request, copied the list of events from the cheat sheet, and launched the attack:
GET /?search=<svg><animatetransform%20§§> HTTP/2
Host: 0a27007303e9820280059f9a00da0056.web-security-academy.net
Cookie: session=TGgBVFhEZuUiwMiBBbqu75diEgAAIuNO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...
After launching the attack, I saw that the onbegin
event was allowed, so I built this final payload:
<svg><animatetransform onbegin=alert("hacked")>
After injecting that payload, I got an alert box, which solved the lab.