Solving Portswigger Academy: Reflected XSS with some SVG markup allowed
This lab has a simple reflected XSS vulnerability. The site is blocking common tags but misses some SVG tags and events.
To solve the lab, perform a cross-site scripting attack that calls the
alert()function.
Lab clearly mentioned that the site blocks common tags but misses some SVG tags and events.
Let’s first check if this is correct.As we visit the lab, we see a search box.
I checked for img tag and it says ‘Tag not allowed’.
Let’s brute force this using Intruder.Allowed tags
After that I again use intruder with svg tag and brute force the events. The result shows only event allowed is onbegin.
When I used payload with above tag and event it did not execute.
Then I used below payload which works for me.
<svg><animatetransform onbegin=alert() attributeName=x></svg>
The animateTransform element animates a transformation attribute on its target element, thereby allowing animations to control translation, scaling, rotation, and/or skewing.
This is how I am able to solve the lab.
