Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

how do i understand how this work ?/ i do not understand how this payload work

aspiringpentester | Last updated: May 13, 2021 07:59AM UTC

ok i do not understand because at the lab's title said all elements/tags were blocked except custom the script tag seemed not to be blocked somehow also i understand that the custom tag was used (xss) in the actual url that was used with the javascript: url encoded* <script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> url decoded* <script> location = 'https://your-lab-id.web-security-academy.net/?search=<xss id=x onfocus=alert(document.cookie) tabindex=1>#x'; </script> i started to not understand why script woked when it would be filtered then i understand the location but then i got confused again on (tabindex=>#x) so: 1. how did <script> work i ran my burp and saw custom tags like: img2, a2 got 200 response 2: what is tabindex=1>#x i am looking in forward to your response. also another question that came to mind was; Why do i have to go to an exploit server to submit my payload to victim i kinda or maybe understand that you have to copy the your to send to a victim in practical POC but what came to mind was i never had to do that with the first lab which inly required a payload in the search bar. thank you.

Ben, PortSwigger Agent | Last updated: May 13, 2021 08:35AM UTC

Hi, Just to confirm, what is the name of the lab that you are currently trying to solve?

Deepak | Last updated: Sep 01, 2021 09:24AM UTC

Lab: Reflected XSS into HTML context with all tags blocked except custom ones i couldnt get it too. what's <xss and tabindex?

Ben, PortSwigger Agent | Last updated: Sep 01, 2021 01:16PM UTC

Hi, This lab blocks all HTML tags so the idea is that you would create your own custom tag in order to circumvent this particular restriction and deliver your payload. The tabindex=1%3E#x entry focuses on this element as soon as the page is loaded, which subsequently causes the alert payload to be fired. You can find out more details about the tabindex on the page below: https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/tabindex In certain situations vulnerabilities can only be demonstrated using hosted exploits being accessed by a 'victim' user. In order to make the labs as simple and as easy as possible (so that users do not need to set up any external resources in order to complete them) we provide both an Exploit Server (in order to simulate an external server hosting the exploit) and a 'victim' user (simulating a user that is triggering the exploit). Cheers Ben Wright Technical Product Specialist PortSwigger

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.