Lab: Reflected XSS into HTML context with most tags and attributes blocked

Yikai
4 min readNov 8, 2020

--

In this lab, a simple or common reflected XSS attack will not work as it will be blocked by the web application firewall (WAF).

Let’s first insert an HTML tag as shown below in the search bar while the burp proxy is on.

Send the intercepted GET request to intruder.

Replaced the search value with <§§>. This is where the intruder will insert the payload.

Go to portswigger xss cheatsheet and click on copy tags to clipboard. This will copy all the HTML tags from this cheat sheet.

Next, paste the copied tags into the payload list and start your attack.

Below, you will see that between the open and close tags is where the payload will be inserted.

Once the attack is finished, you will find that only the body tag has a response status 200 where the rest have a response status 400. This shows that the body tag is vulnerable to XSS attacks.

Those with the response status 400 will have a message showing “Tag is not allowed.”.

Next, we shall change the search value to <body%20§§=1>

“%20” just represents a space in an encoded URL.

Go back to the XSS cheat sheet, but this time copy the events to clipboard. Clear the previous payload list and paste in the new ones. Start the attack.

After the attack, you will find out that the event attribute onresize has a status of 200. This means that this event is vulnerable to XSS attacks.

Take note of your lab id highlighted below in the URL bar. This is where you will send your exploit to.

Placed your lab id in the code below. Click “store ”and then click “deliver exploit to victim”. The code is provided in the solutions of the lab.

The iframe tag embeds another HTML page into a current page.

The onresize attribute is an event attribute that executes a javascript when you resize the browser window.

The onload event attribute executes the javascript when the webpage is loaded.

What the code above is saying is that, when you visit the website “https://ac511f2e1ec1f6c880c02798019100fc.web-security-academy.net/exploit”, you will see a small white box on the webpage.

When the webpage is loaded, this triggers the onload event to execute the javascript: this.style.width=‘100px’, meaning the width of the small white box you see will be adjusted to 100 pixels which is small.

When the width is adjusted, this triggers the next event which is the onresize event. This will execute the javascript: alert(document.cookie).

The alert(document.cookie) allows you to read the cookies associated with the document on that website.

Next, click view exploit to go to the exploit link.

Once you are at the webpage, you will see a white box created using the iframe tag.

Immediately, it will change to a smaller width size (100px) and this will activate the “onresize ”event, which will execute the alert function, showing a pop-up message as shown below.

There isn't any message shown as there is no cookie associated with the document on that webpage.

With this, the lab should be cleared.

I am still learning while doing these labs, please let me know if any of my explanation is incorrect. Thank you!

--

--

Yikai

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.