- The site is blocking common tags but misses some SVG tags and events.
-
Inject a standard XSS payload, such as:
<img src=1 onerror=alert(1)> -
Observe that this payload gets blocked. In the next few steps, we’ll use Burp Intruder to test which tags and attributes are being blocked.
-
Open Burp’s browser and use the search function in the lab. Send the resulting request to Burp Intruder.
-
In Burp Intruder, in the Positions tab, click “Clear §“.
-
In the request template, replace the value of the search term with:
<> -
Place the cursor between the angle brackets and click “Add §” twice to create a payload position. The value of the search term should now be:
<§§> -
Visit the XSS cheat sheet and click “Copy tags to clipboard”.
-
In Burp Intruder, in the Payloads tab, click “Paste” to paste the list of tags into the payloads list. Click “Start attack”.
-
When the attack is finished, review the results. Observe that all payloads caused an HTTP 400 response, except for the ones using the
<svg>,<animatetransform>,<title>, and<image>tags, which received a 200 response. -
Go back to the Positions tab in Burp Intruder and replace your search term with:
<svg><animatetransform%20=1> -
Place the cursor before the
=character and click “Add §” twice to create a payload position. The value of the search term should now be:<svg><animatetransform%20§§=1> -
Visit the XSS cheat sheet and click “Copy events to clipboard”.
-
In Burp Intruder, in the Payloads tab, click “Clear” to remove the previous payloads. Then click “Paste” to paste the list of attributes into the payloads list. Click “Start attack”.
-
When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the
onbeginpayload, which caused a 200 response.https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Csvg%3E%3CaniVisit the following URL in the browser to confirm that the alert() function is called and the lab is solved: