search

XSS Scripting Contexts

What is XSS Context?

  • Location in response where the user input data appears.

  • Processing performed on input data by the application.

Based on the context, can target the locations and filters to execute XSS. Burp cheatsheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheetarrow-up-right

hashtag
XSS in Different contexts:

hashtag
XSS between HTML tags:

When the XSS context is text between HTML tags, you need to introduce some new HTML tags designed to trigger execution of JavaScript.

Some useful ways of executing JavaScript are:

<script>alert(document.domain)</script> <img src=1 onerror=alert(1)>c

hashtag
LAB 2 : Stored XSS into HTML context with nothing encodedarrow-up-right

But to solve challenge needs to be an alert:

hashtag
LAB 3: Reflected XSS into HTML context with most tags and attributes blockedarrow-up-right

hashtag
Understanding posture.

Application blocks most tags, html encoding doesn't escape h1 tag, etv

Restrictions

Searching for "<script alert(1)</script>" Script tag is blocked, after testings

Need to find what tags and attributes are not blacklisted.

Copy list

Launch Burp Intruder with a insertion between simple tags "<$>".

<body> tag is whitelisted.

Now, need to find usable attributes of tags that would facilitate JS execution.

Blacklisted event onload gives error(400)

Again brute forcing to find whitelisted attributes:

onresize attribute is allowed.

But, the attack needs to be without user interaction.The victim will open a link and payload needs to be triggered, for that we need to resize the window. So, we can use an - iframe that will refer to the search result. - resize the iframe onloading. This will trigger the payload.

Victim final exploit

hashtag
LAB 4 : Reflected XSS into HTML context with all tags blocked except custom ones

Objective: This lab blocks all HTML tags except custom ones.

To solve the lab, perform a cross-site scriptingarrow-up-right attack that injects a custom tag and automatically alerts document.cookie.

Solution:

Custom Tag to exploit xss:

This works on clicking the "A", but need something without user interaction.
Referring the cheat-sheet for the same: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#event-handlers-that-do-not-require-user-interactionarrow-up-right

Custom Tag payload:

In the returned url, put location hash to the id of html element (tag) created.

Exploit victim: Need to host the refected xss link with location hash to the victim. The payload must alert document.cookie

Final exploit HTML body. It redirects the victim (on visit) to vulnerable page that triggers reflected xss

hashtag
LAB 5 : Reflected XSS with event handlers and href attributes blocked

Description:

This lab contains a reflected XSSarrow-up-right vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked.. To solve the lab, perform a cross-site scriptingarrow-up-right attack that injects a vector that, when clicked, calls the alert function. Note that you need to label your vector with the word "Click" in order to induce the simulated lab user to click your vector. For example:

<a href="">Click me</a>

Recon:

searching for <body></body> is error, as it is blocked
Bruteforcing allowed tags

Attacking:

svg was whitelisted, though the events were blocked.

I refered to this resource for xss without event triggers: https://brutelogic.com.br/blog/xss-without-event-handlers/arrow-up-right

We define the svg animate attribute with our javascript.

Even shortened version worked: Though here client find hard to click "click" (svg element).

Here you can see the svg element is hidden, so not intuitive for user to click it, but enough for burp challenge.

SVG is very useful though dangerous if not hardened, here we are able to execute javascript using svg animate: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/animatearrow-up-right

hashtag
LAB 6 : Reflected XSS with some SVG markup allowed

SVG markup

After reading the docs on the elements, hacker tinkle sensed these :

(Tried "<svg><image href=validimage.png onload=alert(1)>", but onload,etc are blocked in this lab)
No XSS payload found
Used to animate svg, uses javascript for that, hence can be used for xss payload

After searching for xss on these attributes, came across "animateTransform" payload:

https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txtarrow-up-right

payload used:

SVG events and attributes: https://oreillymedia.github.io/Using_SVG/guide/markup.htmlarrow-up-right

Reference: Beautiful site: https://netsec.expert/posts/xss-in-2021/arrow-up-right

PreviousDOM XSSNextSVG elements

Last updated