14) Reflected XSS into HTML context with most tags and attributes blocked

Locate possible injection points

As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html

in the search let's put a normal tag

when we click on search we get tag is not allowed

so there is a blacklist mechnisme that blacklists tags

send the search request to burp and send it to intruder

• In Burp Intruder, in the Positions tab, replace the value of the search term with: <>

• Place the cursor between the angle brackets and click "Add §" twice, to create a payload position. The value of the search term should now look like: <§§>

• Visit the XSS cheat sheet and click "Copy tags to clipboard".

• In Burp Intruder, in the Payloads tab, click "Paste" to paste the list of tags into the payloads list. click start attack

then click on status to find the one with 200 status

now let's try to use the body tag to trigger an xss

and the app also blacklists attributes

again doing the same thing let's find the allowed attribute

• Visit the XSS cheat sheet and click "copy events to clipboard".

• In Burp Intruder, in the Payloads tab, click "Clear" to remove the previous payloads. Then click "Paste" to paste the list of attributes into the payloads list. Click "Start attack".

When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response

now using the allowed tag and attribues let's construct a xss payload

searching in the portswigger xss cheat sheet list i found a payload using onresize attribute which is allowed

xxxx"<body onresize="print()">

if we resize the page then this is showed

so the payload is triggered succesfully

now let's go to the exploit server and deliver this payload to the victim

we need to put our payload in an iframe and send it to the victim

The print command needs to be performed automatically without any user interaction. Therefore I need a way to enforce the resize event without requiring the victim to do it.

For this I use an iframe that contains the search that resizes on load

<iframe src="https://0a5e00a603f682d58171d9c200cb004c.web-security-academy.net/?search=xxxx"<body onresize="print()">" onload=this.style.width='250px'></iframe>

I URL-encode the entire search term to ensure nothing goes amiss inside the iframe:

<iframe src="https://0a5e00a603f682d58171d9c200cb004c.web-security-academy.net/?search=%78%78%78%78%22%3c%62%6f%64%79%20%6f%6e%72%65%73%69%7a%65%3d%22%70%72%69%6e%74%28%29%22%3e" onload=this.style.width='250px'></iframe>

deliver it now to the victim and the lab is solved