Solving Portswigger Academy: Reflected XSS with event handlers and href attributes blocked
This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor
hrefattributes are blocked..To solve the lab, perform a cross-site scripting attack that injects a vector that, when clicked, calls the
alertfunction.Note that you need to label your vector with the word “Click” in order to induce the simulated lab user to click your vector. For example:
<a href="">Click me</a>
This is really difficult lab as most common attributes and events using which we trigger XSS are blocked.
Still I test for <script> tag and web app responded with Tag not allowed. So to find out which tags are allowed, I used intruder and got below results.
Tags which are allowed: a,animate,image,svg,title. As we know all event handlers and href are also not allowed.
Then I searched for payload in Portwigger’s XSS Cheat Sheet and come across one payload.
<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
This also don’t work. So I modified it into
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>
The SVG tag in HTML is used to define Scalable Vector Graphics (SVG) in an HTML document.
In HTML, the <a> tag is used to create a hyperlink, which allows you to navigate to another page or a different section of the same page. The <a> stands for “anchor” because it creates a link that acts as an anchor point for navigation.
The <animate> tag in HTML is an experimental tag that creates animations for SVG graphics.
To make it it possible for <a> tag to have href attribute. Also, the value we gave for the href attribute was “javascript:alert(1)”. This will execute and display an alert box.
Text tag is used to display the text on the web page.
When I searched above payload in search box, a click me messge displayed as soon as I clicked it it shows lab solved.
