15) Reflected XSS into HTML context with all tags blocked except custom ones

searching on hacktricks for custom tags we find this

The first naive attempt whether onload on a custom tag does anything on page load is not successful. Another option is the onfocus event if I can arrange that the tag gets focused on page load. The autofocus attribute unfortunately only exists for <input> tags, so does not help here.

Another possibility to focus an element is to use tabindices. It marks an element as focus able, but requires keyboard interaction.

However, using a URI fragment causes the browser to focus the indicated element if there is one with the given id or name in the document.

Therefore, my exploit page needs to one that redirects to the search URL containing <xss onfocus=alert(document.cookie) tabindex=1 id=x as search parameter and focusing the fragment #x>

/?search=<xss id=x onfocus=alert(document.cookie) tabindex=1>#x

if we go to the URL and paste this xss search query payload it will trigger the alert

go to the exploit server and put this in the body and then click on store click on store

<script>
location = 'https://0a7700e003a13adc80854954004c00f2.web-security-academy.net/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex=1%3E#x';
</script>

This injection creates a custom tag with the ID x, which contains an onfocus event handler that triggers the alert function. The hash at the end of the URL focuses on this element as soon as the page is loaded, causing the alert payload to be called.

deliver to victim and lab solved

Last updated

Was this helpful?