Introduction to Reflected XSS into HTML context with most tags and attributes blocked.

In Reflected XSS into HTML context with most tags and attributes blocked, Reflected Cross-Site Scripting (XSS) is a vulnerability where untrusted user input is not properly sanitized or encoded, allowing attackers to inject and execute malicious scripts within the user’s browser. Web developers should implement strict input validation and proper output encoding practices to mitigate this vulnerability. Regular security testing, staying updated with best practices, and using frameworks or libraries with built-in protection can help prevent reflected XSS attacks, even in cases where tags and attributes are blocked. Prioritizing web security, secure coding practices, and effective input validation and output encoding techniques can significantly reduce the risk of XSS vulnerabilities and maintain overall web application security.

Lab Solutions | Practical Work Time Reflected XSS into HTML

This lab contains a reflected XSS vulnerability in the search functionality but uses a web application firewall (WAF) to protect against common XSS vectors.

To solve the lab, perform a cross-site scripting attack that bypasses the WAF and calls the print()function.

Stepwise Solution of the lab:-

After accessing this lab you can see here we first noticed it has “Search” functionality.

Will push a payload to see what will happen.

<img src=1 onerror=print()>

This tag is not allowed. So we’ve to define/identify an applicable tag. (let me clarify for you a thing that it is an ‘event’ that we are calling ‘tag’). For that, I’m going to use Burp Suite Intruder and XSS cheat sheet.

Unfortunately, I can’t show you after clicking on right click of the mouse options that I found ‘Send this request to Repeater’, that time I was unable to take screenshot. But that’s an easy task hope you get it.

Here, what we did is we cleared all the text after ‘/?search=’ and added ‘<>’ this one. After that, we position between this ‘<>’ and clicked on ‘Add $’ two times.

Now, click on ‘Copy tags to clipboard’ and paste it to payload settings.

Click on ‘Start attack’. Basically, we will be looking for 200 status to find the applicable tag.

Found the ‘body’ tag as 200 status. Now time to set it and will find the ‘event’ one in the next.

Set it as we’ve shown. Don’t remove ‘$$’. between ‘<$$>’ what you’ve to do is type ‘body%20’ after ‘<‘ and type ‘=1’ before ‘>’.

Again visit to XSS cheat sheet and click on ‘Copy events to clipboard’. Paste it to ‘Payload settings’.

Again we will click on ‘start attack’ and going to look for the ‘event’ that shows HTTP 200 status.

We will go for with ‘onresize’ this event.

Now time to back on the lab and click on ‘Go to exploit server’.

Clear ‘Hello, world!’ and paste the below payload.

<iframe src="https://YOUR-LAB-ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>

Replace ‘https://YOUR-LAB-ID.web-security-academy.net/’ this to your lab ID, which means copy the link of your lab and paste it there.

After clicking on ‘Deliver exploit to victim’. BOOM! We’ve solved the lab successfully.

I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: Reflected XSS into HTML context with all tags blocked except custom ones, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.

FAQS