Burp Suite User Forum

Login to post

Bug in "Reflected XSS into HTML context with all tags blocked except custom ones" Lab

Hardik | Last updated: Mar 01, 2020 02:09PM UTC

Hello there, Good Day and I hope you're doing well! First of all thank you so much to PORTSWIGGER team for creating Web Academy. Its really great resource of learning and I am enjoying it. My name is Hardik Maru, and I am currently learning and practicing on web academy. While I was practicing on lab "Reflected XSS into HTML context with all tags blocked except custom ones", I found that I was successfully able to bypass the WAF and my payload was working fine, but the lab was not changing its stats to "Solved". I checked the solution and the given solution is not at all working. The similar type of issue happened with me in Blind SQL Injection lab as well. Steps to reproduce the issue: 1) Go to Lab: Reflected XSS into HTML context with all tags blocked except custom ones 2) Click on Go To Exploit Serve 3) Go down to input text area of Body 4) Insert this payload "URL/<svg onload=alert(document.cookie)>" I have verified that payload is working fine by some other examples like: - "URL/<svg onload=alert(1)>" - "URL/<svg onload=alert(document.domain)>" I hope you'll figure out the issue and resolve it, as these solution misguide me and took more time to understand and solve the lab. Thank you. Best regards, Hardik.

Uthman, PortSwigger Agent | Last updated: Mar 02, 2020 11:28AM UTC

Hi Hardik, The solution seems to work fine. You need to paste the exploit code into the 'Body:' section, Store the exploit and then Deliver it to the victim. Are you updating the payload with your lab ID? Or that of the exploit server?

Black | Last updated: Oct 05, 2020 08:00AM UTC

I am having the same issue with this lab. I copied and pasted this into the body section of the exploit sever page: <script> location = 'https://aceb1fd11faff26880b017e201ee0057.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> 2 things happened: 1.) on clicking view exploit nothing happened. 2.) on clicking deliver exploit to victim the page refreshed but lab was not marked as completed. I'm tried this out on MicroSoft Edge Version 85.0.564.68 (Official build) (64-bit) and it did not have any sort of adblock extensions installed. This bug is also present on Google Chrome Version 85.0.4183.121 (Official Build) (64-bit).

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 09:30AM UTC

If you copy and paste the HTML in the solution, it should work. Can you test this in the latest version of Firefox? Also, are you replacing your lab ID with the ID of your lab? Or the exploit server?

Sourabh | Last updated: Oct 08, 2020 06:56AM UTC

But i can't understand how we get this payload <script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> am i use burp intruder to figure out the event handler or a payload like previous lab "Reflected XSS into HTML context with most tags and attributes blocked" .I am confused what i will do.i know this is in the solution but,how this payload works please anybody explain it in details.

Kaustav | Last updated: Oct 18, 2020 05:10PM UTC

<script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> This injection creates a custom tag with the ID x. My question is, if we want to build custom tag it needs a javascript code which defines the tag. Here I didn't find any souch code & if it's developer controllable then how we can exploit this. A proper explanation needed.

You need to Log in to post a reply. Or register here, for free.