Reflected XSS into HTML Context with most tags and attributes blocked
XSS Practitioner

Reflected XSS into HTML Context with most tags and attributes blocked

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Objective

PoC(Proof of Concept) - common tags are not allowed

Try to inject a usual alert() script such as

<img src=1 onerror=print()>

but it is not going to work. Because website has WAF(Web Application Firewall), so you need to figure out how to bypass it.

  1. Open the burp repeater.
  2. Go to the HTTP history tab and find the GET /search? request and send it to Intruder.
  3. Place $ signs for adding a fuzzer parameter like in the below image.
  4. Visit the XSS Cheat Sheet and click “Copy tags to clipboard”.
  5. In Burp Intruder, in the Payloads tab, click “Paste” to paste payloads into the list.
  6. Click “Start” attack.
  7. When the attack is finished, review the results. Realized nearly all the payloads caused an HTTP 400 response, except for the body payload, which caused a 200 response.
  8. Go back to the Burp Intruder and replace your search term with:
<body%20=1>

You found a valid tag already, now you must find a valid event handler. Place the cursor before the = character and click “Add $$” twice to create a payload position.

<body%20$$=1>

  1. First, visit the XSS Cheat Sheet and click “Copy events to clipboard”.
  2. In Burp Intruder, click Clear to remove previous payloads and paste events to the clipboard.
  3. Click Start attack, when the attack is finished, review the results. Realize nearly all payloads caused a HTTP 400 response, except for the onresize and onratechange events, which caused a 200 response.

Lastly, you need to go to your exploit server and paste the following code to the body part, then you need to replace YOUR-LAB-ID with your lab ID:

<iframe
  src="https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E"
  onload="this.style.width"
  ="100px"
></iframe>

Let’s break this code piece by piece:

  • First we need a iframe for victim user’s interaction.
  • src attribute includes our payload, which is going to call the print() function on the user’s browser.
  • onload event, sets the size of the iframe(pixels) when the frame is loaded.

Click store and Deliver exploit to the victim and lab should have been solved.

Reflected XSS into HTML Context with most tags and attributes blocked
Prev post

Reflected XSS into HTML context with all tags blocked except custom ones
Next post

Reflected XSS into HTML context with nothing encoded

Reflected XSS into HTML Context with most tags and attributes blocked

You may also like

See all XSS
Reflected XSS with AngularJS expression escape and CSP
XSS Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Reflected XSS with AngularJS Sandbox Escape without Strings
XSS Expert

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
XSS Practitioner

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal