DEV Community: Kenny Cipher

Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3

Kenny Cipher — Thu, 19 Mar 2026 09:43:50 +0000

target：

Lab URL:

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type:

Reflected XSS

Description:

Steps to Exploit：

1.Determine that this is a reflected XSS vulnerability because the input appears directly in the HTML response.

2.Submit the payload alert(1) to test whether script execution is possible.

3.Observe that the <script> tag is blocked, then use Burp Intruder to analyze the filtering mechanism

4.Observe that most payloads return a 400 response, while payloads using tags such as <svg>, <animatetransform>, <title>, and <image> return a 200 response.

5.Select one allowed tag and use Intruder to test which attributes are permitted.

6.Construct a working payload based on the allowed tags and attributes to trigger the XSS.

Remediation：

The application should implement proper context-aware output encoding to prevent user-supplied data from being interpreted as executable code. All inputs must be safely encoded before being rendered in the browser.

Additionally, input validation should be enforced to block dangerous patterns such as "javascript:" URLs. The use of secure frameworks with built-in XSS protection and the implementation of a Content Security Policy (CSP) are recommended to further reduce risk.

Lessons Learned：

This lab demonstrates that even when common tags like <script> are blocked, XSS can still be achieved by leveraging less restricted tags such as SVG. By systematically analyzing the filtering behavior with tools like Burp Intruder, attackers can identify allowed tags and attributes and craft a payload that bypasses the filter. Effective defense requires proper output encoding and avoiding reliance on blacklist-based filtering.

Cross-site scripting – Stored XSS into anchor href attribute with double quotes HTML-encoded | PortSwigger Lab Note #2

Kenny Cipher — Thu, 19 Mar 2026 09:24:41 +0000

target：

Lab URL:
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-href-attribute-double-quotes-html-encoded
Tools Used:

browser
Burp suite

Vulnerability Summary：

Type:

Stored XSS

Description:

Steps to Exploit：

1.Determine that this is a stored XSS vulnerability because the input does not appear directly in the response.

2.Check the page source and find that the user-supplied website value is reflected inside the href attribute.

3.Inject a payload such as javascript:alert(1) into the href attribute to trigger the XSS.

Remediation：

Lessons Learned：

This lab shows that XSS can occur in attribute contexts such as href, even when double quotes are HTML-encoded. By analyzing where user input is placed in the HTML structure, attackers can craft context-specific payloads like javascript: URLs to trigger execution. Proper defenses should include context-aware output encoding and validation of dangerous URI schemes.

Cross-site scripting – Reflected XSS into HTML context with most tags and attributes blocked | PortSwigger Lab Note #1

Kenny Cipher — Tue, 17 Mar 2026 11:14:44 +0000

target：

Lab URL:
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-most-tags-and-attributes-blocked
Tools Used:

browser
Burp suite

Vulnerability Summary：

Type:

Reflected Cross-site scripting

Description:

Steps to Exploit：

1.Input <> to determine whether angle brackets are filtered by the application.

2.Input<script> to check whether this tag is filtered by the WAF.

3.Use the XSS cheat sheet and Burp Intruder to identify which HTML tags are allowed by the filter.

4.Use Intruder again to test which attributes can be used with the allowed tags.

5.Find a way to exploit the XSS vulnerability using the permitted tags and attributes, and craft a working payload.

6.Create a malicious URL and send it to the victim so that the server responds with a hidden script that triggers the exploit.

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

This lab demonstrates that even when most HTML tags and attributes are blocked by a WAF, XSS may still be possible by enumerating which tags and event handlers are allowed. By systematically testing inputs with Burp Intruder and using an XSS cheat sheet, attackers can discover permitted combinations of tags and attributes and craft a payload that bypasses the filter. Proper defenses should rely on strict output encoding rather than blacklist-based filtering.

SQL Injection – with filter bypass via XML encoding | PortSwigger Lab Note #11

Kenny Cipher — Mon, 16 Mar 2026 01:06:20 +0000

target：

Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-in-different-contexts/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding#

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type: SQL Injection
Description:

This lab demonstrates a SQL injection vulnerability inside XML input.
The application performs a database query using user-supplied XML data without proper sanitization.

However, a weak WAF (Web Application Firewall) attempts to block common SQL injection payloads. The goal is to bypass the filter using XML encoding, extract the administrator credentials, and log in as the administrator.

Steps to Exploit：

1.Check the lab scenario and identify two possible injection points in the XML request.

2.Test the XML structure by submitting some special or sensitive characters to see whether a weak WAF or input filter exists.

3.After confirming that character filtering is present, attempt to bypass the filter and determine the number of columns in the SQL query using a UNION-based payload.

4.Once the column count is identified, use the SQL concatenation operator || to combine the username and password fields in order to extract credentials from the users table.

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

This lab demonstrates that SQL injection can occur in XML input contexts and that weak WAF filters can often be bypassed using encoding techniques. Even if certain characters or keywords are blocked, attackers may still exploit the vulnerability by modifying the payload format. Proper defenses should rely on parameterized queries and secure query construction rather than simple input filtering.

SQL Injection – time delays and information retrieval| PortSwigger Lab Note #10

Kenny Cipher — Fri, 13 Mar 2026 01:16:15 +0000

target：

Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-exploiting-blind-sql-injection-by-triggering-time-delays/sql-injection/blind/lab-time-delays-info-retrieval

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type: Blind SQL Injection
Description:

The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.

Steps to Exploit：

1.Verify that the application responds with no time delay or time delay

2.confirming that there is a user called administrator.

3.determine how many characters are in the password of the administrator user

4.Determine the password

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

SQL Injection – Blind SQL injection with conditional errors | PortSwigger Lab Note #9

Kenny Cipher — Thu, 12 Mar 2026 03:31:40 +0000

target：

browser
Burp suite

Vulnerability Summary：

Type: SQL Injection
Description:

The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.

Steps to Exploit：

1.confirm that the server is interpreting the injection as a SQL query

2.try submitting an invalid query while still preserving valid SQL syntax

3.verify that the users table exists

4.test whether specific entries exist in a table

5.determine how many characters are in the password of the administrator user.

6.determine the password

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

SQL Injection – Blind SQL injection with conditional responses | PortSwigger Lab Note #8

Kenny Cipher — Wed, 11 Mar 2026 08:18:28 +0000

target：

browser
Burp suite

Vulnerability Summary：

Type: SQL Injection
Description:

Steps to Exploit：

1.Trigger conditional responses and check whether the word “Welcome” appears.

2.Verify that the condition is true, confirming that there is a table called users.

3.Verify that the condition is true, confirming that there is a user called administrator

4.Determine how many characters are in the password of the administrator user and send a series of follow-up values to test different password lengths

5.determine the password

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

SQL Injection – listing the database contents on non-Oracle databases | PortSwigger Lab Note #7

Kenny Cipher — Tue, 10 Mar 2026 02:51:09 +0000

target：

browser
Burp suite

Vulnerability Summary：

Type:

SQL Injection

Description:

The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.

To solve the lab, log in as the administrator user.

Steps to Exploit：

1.Determine the number of columns and which columns contain string data.

2.retrieve the list of tables in the database

3.Find the name of the table containing user credentials.

4.retrieve the details of the columns in the table vulnerable

5.Find the names of the columns containing usernames and passwords

6.retrieve the usernames and passwords for all users

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

SQL Injection – querying the database type and version | PortSwigger Lab Note #6

Kenny Cipher — Tue, 10 Mar 2026 00:51:33 +0000

target：

Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-examining-the-database-in-sql-injection-attacks/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type: SQL Injection
Description:

Steps to Exploit：

1.Determine the number of columns and which columns contain string data.

2.If the error-based payload fails, try changing the comment format.

3.According to the cheat sheet, determine that the database version is
MySQL, and note the space after the double dash.

4.Solve the lab with the correct payload to disclose the MySQL version information.

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

SQL Injection – UNION attack, retrieving multiple values in a single column | PortSwigger Lab Note #5

Kenny Cipher — Tue, 10 Mar 2026 00:16:36 +0000

target：

Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-retrieving-multiple-values-within-a-single-column/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type:

SQL Injection

Description:

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user

Steps to Exploit：

1.Determine the number of columns and which columns contain string data.

'+UNION+SELECT+NULL,username||'~'||password+FROM+users--

2.Modify the payload and send the request to the server.

3.The username and password will be shown on the page.

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

SQL Injection – UNION attack, retrieving data from other tables | PortSwigger Lab Note #4

Kenny Cipher — Mon, 09 Mar 2026 13:20:40 +0000

target：

Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-using-a-sql-injection-union-attack-to-retrieve-interesting-data/sql-injection/union-attacks/lab-retrieve-data-from-other-tables

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type: SQL Injection
Description:

To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.

Steps to Exploit：

1.Using the technique mentioned in the last note, we can determine the number of columns returned by the query and which columns contain text data. Verify that the query returns two columns, both of which contain text.

2.Inject the payload, then obtain the password belonging to the administrator.

Remediation：

Use parameterized queries / prepared statements
Use server‑side input validation
Escape and sanitize user input

Lessons Learned：

When you have determined the number of columns returned by the original query and found which columns can hold string data, you are in a position to retrieve interesting data

SQL Injection – UNION attack | PortSwigger Lab Note #3

Kenny Cipher — Mon, 09 Mar 2026 10:44:21 +0000

target：

Lab URL:

https://portswigger.net/web-security/learning-paths/sql-injection/sql-injection-determining-the-number-of-columns-required/sql-injection/union-attacks/lab-determine-number-of-columns

Tools Used:

browser
Burp suite

Vulnerability Summary：

Type: SQL Injection
Description:

To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack

Steps to Exploit：

1.Click any category to send a request to the server and check the query.

2.Modify the parameter multiple times, then try to determine the number of columns returned by the query.

3.If there are no errors, you have found the number of columns.

Remediation：

Use parameterized queries (prepared statements) instead of dynamic SQL.
Apply strict input validation on user-supplied data.
Use least-privileged database accounts to reduce impact.