target:
- Lab URL:
https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed
- Tools Used:
browser
Burp suite
Vulnerability Summary:
- Type:
Reflected XSS
- Description:
Steps to Exploit:
1.Determine that this is a reflected XSS vulnerability because the input appears directly in the HTML response.
2.Submit the payload alert(1) to test whether script execution is possible.
3.Observe that the <script> tag is blocked, then use Burp Intruder to analyze the filtering mechanism
4.Observe that most payloads return a 400 response, while payloads using tags such as <svg>, <animatetransform>, <title>, and <image> return a 200 response.
5.Select one allowed tag and use Intruder to test which attributes are permitted.
6.Construct a working payload based on the allowed tags and attributes to trigger the XSS.
Remediation:
The application should implement proper context-aware output encoding to prevent user-supplied data from being interpreted as executable code. All inputs must be safely encoded before being rendered in the browser.
Additionally, input validation should be enforced to block dangerous patterns such as "javascript:" URLs. The use of secure frameworks with built-in XSS protection and the implementation of a Content Security Policy (CSP) are recommended to further reduce risk.
Lessons Learned:
This lab demonstrates that even when common tags like <script> are blocked, XSS can still be achieved by leveraging less restricted tags such as SVG. By systematically analyzing the filtering behavior with tools like Burp Intruder, attackers can identify allowed tags and attributes and craft a payload that bypasses the filter. Effective defense requires proper output encoding and avoiding reliance on blacklist-based filtering.
Top comments (0)