Web Security Academy Lab solution: ” Reflected XSS into HTML context with most tags and attributes blocked”
2 min readMay 17, 2021
what’s crackin’ hackers?, today i’m gonna show you how we can bypass some WAF’s.
we start the lab as usual, and navigate to the search bar
let’s start by using a simple payload like <plaintext>
allright, it seems that there’s a WAF blocking some tags
let’s try to brute force the app and see what tags are allowed
we can find a cheat sheet of tags here: XSS cheat sheet
copy all the tags to your clipboard and send the request to burp’s intruder
- In Burp Intruder, in the Positions tab, click “Clear §”.
- In the request template, replace the value of the search term with:
<> - Place the cursor between the angle brackets and click “Add §” twice, to create a
- In Burp Intruder, in the Payloads tab, click “Paste” to paste the list of tags into the payloads list.
- Click “Start attack”.
when the attack is completed review the result and we can see there’s a 200 ok response back when using the <body> tage
- Go back to the Positions tab in Burp Intruder.
- Replace your search term with:
<body%20=1> - Place the cursor before the
=character and click “Add §” twice, to create a payload position. The value of the search term should now look like:<body%20§§=1> - Visit the XSS cheat sheet again and click “copy events to clipboard”.
- In Burp Intruder, in the Payloads tab, click “Clear” to remove the previous payloads. Then click “Paste” to paste the list of attributes into the payloads list. Click “Start attack”.
When the attack is finished, review the results. Note that all payloads caused an HTTP 400 response, except for the onresize payload, which caused a 200 response.
- Go to the exploit server and paste the following code, replacing
your-lab-idwith your lab ID:<iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> - Click “Store” and “Deliver exploit to victim”.
Happy Hacking!
~N3dx0o
