XSS Scripting Contexts

What is XSS Context?

Location in response where the user input data appears.
Processing performed on input data by the application.

Based on the context, can target the locations and filters to execute XSS. Burp cheatsheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

XSS in Different contexts:

XSS between HTML tags:

When the XSS context is text between HTML tags, you need to introduce some new HTML tags designed to trigger execution of JavaScript.

Some useful ways of executing JavaScript are:

<script>alert(document.domain)</script> <img src=1 onerror=alert(1)>c

LAB 2 : Stored XSS into HTML context with nothing encoded

But to solve challenge needs to be an alert:

<script>alert()</script>

LAB 3: Reflected XSS into HTML context with most tags and attributes blocked

Understanding posture.

Application blocks most tags, html encoding doesn't escape h1 tag, etv

Restrictions

Need to find what tags and attributes are not blacklisted.

Launch Burp Intruder with a insertion between simple tags "<$>".

<body> tag is whitelisted.

Now, need to find usable attributes of tags that would facilitate JS execution.

Again brute forcing to find whitelisted attributes:

But, the attack needs to be without user interaction.The victim will open a link and payload needs to be triggered, for that we need to resize the window. So, we can use an - iframe that will refer to the search result. - resize the iframe onloading. This will trigger the payload.

LAB 4 : Reflected XSS into HTML context with all tags blocked except custom ones

Objective: This lab blocks all HTML tags except custom ones.

To solve the lab, perform a cross-site scripting attack that injects a custom tag and automatically alerts document.cookie.

Solution:

Custom Tag to exploit xss:

<alo onclick="print()">A</alo>

Custom Tag payload:

<xss id=x tabindex=1 onfocus=alert(1)></xss>

Exploit victim: Need to host the refected xss link with location hash to the victim. The payload must alert document.cookie

LAB 5 : Reflected XSS with event handlers and `href` attributes blocked

Description:

This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked.. To solve the lab, perform a cross-site scripting attack that injects a vector that, when clicked, calls the alert function. Note that you need to label your vector with the word "Click" in order to induce the simulated lab user to click your vector. For example:

<a href="">Click me</a>

Recon:

Attacking:

svg was whitelisted, though the events were blocked.

I refered to this resource for xss without event triggers: https://brutelogic.com.br/blog/xss-without-event-handlers/

<svg><a xmlns:xlink=http://www.w3.org/1999/xlink ><circle r=400 />Click<animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>

Even shortened version worked: Though here client find hard to click "click" (svg element).

<svg>Click<animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>

SVG is very useful though dangerous if not hardened, here we are able to execute javascript using svg animate: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/animate

LAB 6 : Reflected XSS with some SVG markup allowed

After reading the docs on the elements, hacker tinkle sensed these :

After searching for xss on these attributes, came across "animateTransform" payload:

payload used:

<svg><animatetransform onbegin=alert(1) attributeName=transform>

SVG events and attributes: https://oreillymedia.github.io/Using_SVG/guide/markup.html

Reference: Beautiful site: https://netsec.expert/posts/xss-in-2021/

PreviousDOM XSS NextSVG elements

Last updated 3 years ago

Was this helpful?