1) Reflected XSS into HTML context with nothing encoded
first thing inject < with some text to see how your text is reflected , after viewing the source code … you will find that it is not validated (encoded) in the site as <
payload:-
<script>alert("0xMal0rM0d3")</script>
2) Stored XSS into HTML context with nothing encoded
inject < with some text then you will find that the comment field does not encode the < symbol so you can use a payload that uses the < as follows
payload:-
<svg/ onload=alert("0xMal0rM0d3")//
3) Reflected XSS into HTML context with most tags and attributes blocked
you will find that most tags are not allowed so you need to find a tag that can bypass the WAF , you can use burpsuite intruder to bruteforce which tags are allowed using tags cheatsheet found on portswigger you will find that <body> tag and custom tags are only allowed , after that you will try bruteforcing which attributes are allowed by the WAF you will find that onbeforeinput, onresize and onratechange events are the ones … but onbeforeinput and onratechange require user interaction which is not wanted in that lab so we exclude them .. we will use onresize event because it can execute automatically in case of using an iframe feature in HTML
payload:-
<iframe src="https://0a4b00600425e1958081c773008a00da.web-security-academy.net/?search=<body+onresize%3Dprint(0xMal0rM0d3)>" onload=this.style.width="500px"></iframe>
here we used print( ) function because chrome prohibits the use of the alert function within an iframe the onload event specifies the payload to run only in case of full rendering of the page ( “this” keyword refers to the iframe ) and just simply give it a random dimension of width 500 pixels for example to resize itself in order to satisfy the intentioned event in our payload
4) Reflected XSS into HTML context with all tags blocked except custom ones
in this lab .. all HTML tags are not allowed so there is no other way to bypass the WAF except using custom tags <0xMal0rM0d3> for example then you will have to use the tabindex attribute set to 1 in order to apply focus on that tag which will then be used as an event in javascript named as “onfocus” that is assigned to the desired function then you need to assign an id=a1 ( for example ) in order for the exploit to be executed immediately on loading the page (refer to the payload for better understanding )
payload:-
<0xMal0rM0d3 tabindex=”1” onfocus=”alert(document.cookie)” id=”a1”>
enter that payload in the input field and dont forget to append the hash a1 ( #a1 ) in the URL
to be like this :-
https://0a0c005d04d08dff8295dde400f100dd.web-security-academy.net/?search=<hamo+tabindex%3D"1"+onfocus%3D"alert(document.cookie)"+id%3D"a1">#a1
your payload should be ready but dont forget to use an iframe to send it to the victim like so :-
<iframe src="https://0a0c005d04d08dff8295dde400f100dd.web-security-academy.net/?search=<hamo+tabindex%3D"1"+onfocus%3D"alert(document.cookie)"+id%3D"a1">#a1" width="500px"> </iframe>
5) Reflected XSS with event handlers and href attributes blocked
first of all since all event handlers are blocked so all on**** events will not work and also the <a> tag with href so when you try bruteforcing the whitelisted tags you will find those only with 200 status code
a
animate
svg
image
so you will know later that you can embed HTML tags inside svg tags like so:-
<svg>
<a>
<animate attributeName="href" values="javascript:alert(0xMal0rM0d3)"></animate>
<text x="20" y="20">Click</text>
</a>
</svg>
as mentioned before this lab’s WAF blocks the <a> tag with href attr. so we had to figure a way to use both but not together and that is where the animate tag comes handy . the animate tag is generally used to provide a way to animate an attribute of an element
so we used the animate tag to assign the href attr. to the anchor tag using the attributeName,
and so as the values attr. to assign a value for the href attr. of the anchor element
we also had to use the <text> tag in order to display text for the payload to be executed when clicked ( as this is a link using the normal <a> tag )
6) Reflected XSS with some SVG markup allowed
here the site is blocking common tags but misses some HTML tags and events, as usual try to bruteforce which tags are allowed … these are the ones obtained from burp intruder :-
animatetransform
image
svg
title
you will find that the only allowed event is the “onbegin” event
the animateTransform tag allows you to design animations for your elements
it can accept the only allowed event mentioned before
construct this payload :-
<svg>
<animatetransform onbegin="alert(0xMal0rM0d3)">
</animatetransform>
</svg>