Reflected XSS with Some SVG Markup Allowed
XSS Practitioner

Reflected XSS with Some SVG Markup Allowed

İbrahim Taha İstikbal
İbrahim Taha İstikbal

Objective

Inject a standard XSS payload such as:

As the lab dictates you can observe this payload gets blocked.

Simple Payload

<img src=1 onerror=alert(1)>

You need to find a valid tag in order to deliver a successfull attack. One way to do this is testing the tags manually one by one or you can choose a better way which is fuzzing the tag names with Burp Intruder.

  1. Use the search function in the lab.
  2. Go to the Burp’s HTTP history and send that request to the Burp Intruder.
  3. Set the payload like the following:

4.Visit the XSS cheatsheet and click copy tags to clipboard.

5.In the Payloads tab, paste the list of tags. Click Start attack.

6.After attack has ended, review the results. Observe that nearly all payloads caused an HTTP 400 response, except for the ones using the <svg>, <animatetransform>, <title>, and <image> tags, which received a 200 response.

7.So you have few options, for instance you can choose the <svg> tag to start with.

8.Now you must find a unblocked event handler for the <svg> tag.

9.Inject the payload, but it is not going to work.

Note: For some reason, payload with the <svg> tag is not working. So you need try to other possible tags that you found in the 6th step.

I have done some research and if you look into the XSS cheatsheet, it is possible to see child tags for the <svg> tag.

If you dive into the XSS cheatsheet, it is possible to see how to craft a payload with the child tags. Look at the following example:

10.Go back to the Positions tab in Burp Intruder and replace your search term with:

<svg><animatetransform%20 =1>

11.Add the cursor before the = sign to create a paylad position. Like the following:

<svg><animatetransform%20§§=1>

12.Visit the XSS cheatsheet and click copy events to clipbaord, paste them into the paylaod list tab and click Start attack.

13.When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the onbegin payload, which caused a 200 response.

14.Lastly, it is time to craft the final payload:

<svg><animatetransform onbegin=alert(1)>

15.Visit the following URL in the browser to confirm that the alert() function is called and the lab is solved:

https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E
Reflected XSS with Some SVG Markup Allowed
Prev post

Reflected XSS with Event Handlers and href Attributes Blocked
Next post

Stored DOM XSS

Reflected XSS with Some SVG Markup Allowed

You may also like

See all XSS
Reflected XSS with AngularJS expression escape and CSP
XSS Expert

Reflected XSS with AngularJS expression escape and CSP

The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Reflected XSS with AngularJS Sandbox Escape without Strings
XSS Expert

Reflected XSS with AngularJS Sandbox Escape without Strings

View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.

İbrahim Taha İstikbal
İbrahim Taha İstikbal
Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped
XSS Practitioner

Stored XSS into Onclick Event with angle brackets and double quotes HTML-encoded and single quotes and backslash escaped

Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.

İbrahim Taha İstikbal
İbrahim Taha İstikbal