Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Reflected XSS into HTML context with most tags and attributes blocked

Anton | Last updated: Jan 28, 2020 01:36PM UTC

Hi all. I'm working on solving lab "Reflected XSS into HTML context with most tags and attributes blocked". I get an alert and find a pare of tag / attribute but lab does not get marked as solved. My solution is: /?search=<body%20onresize="alert()"> maybe there is a problem with the lab?

Ben, PortSwigger Agent | Last updated: Jan 28, 2020 01:48PM UTC

Hi, The idea of the lab is to trick the dummy user into visiting your exploit server page and then carrying out an action that triggers the alert. Entering a payload that triggers the alert by you performing a resize of the window is intentionally designed not to solve the lab. Keep trying!

Burp User | Last updated: Jan 28, 2020 07:49PM UTC

I agree with you. I found a similar solution: <body onresize="alert(1)"> and resized the page to evade the WAF and it worked to generate the alert dialog but this is obviously not the solution they are looking for.

Burp User | Last updated: Jan 30, 2020 07:20PM UTC

Hello, I'm not understanding the solution for the lab. Tried to deliver <body onresize=alert(1)> in the search bar and a script that resize the window of victim at exploit server mand still can't get solved.

Burp User | Last updated: Jan 30, 2020 07:21PM UTC

Hello, But tried only <script> alert(1) in the exploit server and it worked, I don't see this as a viable solution.

Ben, PortSwigger Agent | Last updated: Jan 31, 2020 10:37AM UTC

Hi Andre, Are you able to provide us with more details of the steps you are carrying out so that we can discuss this with the Web Academy team?

Burp User | Last updated: Jan 31, 2020 03:09PM UTC

Hello again, <body onload="alert()"> worked for me just fine simply by delivering an exploit. Is it how it supposed to work?

Ben, PortSwigger Agent | Last updated: Jan 31, 2020 03:18PM UTC

Hi, The Web Academy developers are currently looking into this issue. We will update this thread when we have some further information.

Ben, PortSwigger Agent | Last updated: Feb 06, 2020 09:07AM UTC

Hi all, This should now have been resolved. You should not now be able to solve the lab by entering a simple exploit in the exploit server.

Burp User | Last updated: Feb 10, 2020 03:12PM UTC

I tried to give the simple exploit in the body content of the exploit server. I tried giving <body%20onresize="alert(document.cookie)"> and also after trying sometime I gave the final solution given for the lab. Even after submitting the solution it is displaying as Lab Not Solved. Can i know whats the problem and whether any sort of approach necessary?

Ben, PortSwigger Agent | Last updated: Feb 10, 2020 03:48PM UTC

Hi, I have just attempted this lab and was able to successfully solve it using the solution provided. Are you clicking the Store and then Deliver exploit to victim buttons after you have entered the payload into the body?

Burp User | Last updated: Feb 10, 2020 06:15PM UTC

Yes sir..I have followed the steps that was given in the solution...i have pasted the same payload replacing it with my lab-id. For some or the other reason its not showing as Lab Solved. But instead it is showing me Lab Not Solved.

Gadotti | Last updated: Feb 17, 2020 10:03PM UTC

Same for me here... Any solution?

Ben, PortSwigger Agent | Last updated: Feb 18, 2020 01:32PM UTC

Hi, Can you provide step by step details of what you have carried to try and solve this lab so that we can check?

Chal | Last updated: Feb 18, 2020 03:27PM UTC

I'm totally stuck in this lab. Can anyone provide some tips on how to go on ? I tried injecting JS-code into the search bar, and discovered, that the body tag is whitelisted. Then I went on to the exploit server and tried to craft a <script>alert(document.cookie);</script> payload. My idea was, to include this URL in the search bar, but i constantly fail. Is it possible, that I totally lost direction ? I'd be lucky if anyone can post some hints. Thank you.

a | Last updated: Feb 25, 2020 11:33AM UTC

I am facing this problem too

Ben, PortSwigger Agent | Last updated: Feb 25, 2020 11:39AM UTC

What steps have you carried out in order to try and solve the lab? What issue are you facing?

Meghan | Last updated: Mar 12, 2020 07:02PM UTC

I am trying to solve this level. I am on the exploit server page: I have not touched the url field reads: https://session_id.web-security-academy.net/exploit file I didn't touch reads file: /exploit head: I didn't touch reads: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 For the body, I have copied the following into the body text box: <iframe src="my sesseion url/?search=<body onresize="alert(document.cookie)">" onload=this.style.width='1000px'> I then click store and then deliver exploit to victim This is similar to the purposed solution for the lession, but when I do these steps it says I have not solved the lessage I also tried with the special chars url encoded, so the body field was: <iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='1000px'> Any suggestions for trouble shooting, or identifying if I am misusing the exploit server.

Jayson | Last updated: Mar 12, 2020 07:28PM UTC

The same issues mentioned above is being faced from couple of days. Kindly help.

Ben, PortSwigger Agent | Last updated: Mar 13, 2020 08:45AM UTC

Hi Meghan, I have just tried this lab with the payload you suggested and it is successfully being solved. Are you using the correct lab-ID (this should be the URL for the actual lab retrieved from the address bar, not the URL for the exploit server that is printed on the exploit server page)?

Ben, PortSwigger Agent | Last updated: Mar 13, 2020 08:57AM UTC

Hi Jayson, Are you able to tell us exactly what issues you are facing and what steps you have carried so that we can try and assist you?

gilsgil | Last updated: Mar 26, 2020 11:32PM UTC

The problem is that people are copying the URL from the exploit server. I had the same problem too. After copying the URL from the LAB it worked.

Yash | Last updated: Apr 02, 2020 06:34AM UTC

Copy the url from the lab and not of the exploit server to solve the lab

ilsap3l | Last updated: Apr 06, 2020 01:24AM UTC

Hello all I'm working on solving lab "Reflected XSS into HTML context with most tags and attributes blocked". I used the given payload <iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> and I followed the given steps in the Lab solution. It actually worked and the Lab appeared solved but where I am confused is that I did not get any reflected XSS popup back. What is actually wrong, did I miss anything?

Ben, PortSwigger Agent | Last updated: Apr 06, 2020 10:03AM UTC

Hi, Do you see the pop up when you click the View exploit button in your Exploit server?

ilsap3l | Last updated: Apr 06, 2020 10:45PM UTC

Thanks, I just did that and I got a popup. I really appreciate. but please I still have question on that. coming to real life scenario, how are we going to test for that because I putted the same payload on the search field and I did not get any popup. If we are testing a website for such reflected xss with most HTML tags and attributes blocked, I doubt whether there will be a provision for exploit server... . . "I am just thinking out loud" please help and clear my curiosity on this. THANKS.

Ben, PortSwigger Agent | Last updated: Apr 07, 2020 09:08AM UTC

Hi, The lab is designed to teach you how to identify XSS vulnerabilities when a WAF is being used for protection. The Exploit server is our way of allowing you to host your exploits in a simple way and also to simulate a user "activating" said exploit in a realistic manner.

ilsap3l | Last updated: Apr 08, 2020 01:52AM UTC

OK, I understand that now THANKS =:)

wiranamaku | Last updated: Apr 17, 2020 08:51AM UTC

so Ben sorry if i'm wrong so it is like click jacking a website with xss payload inside iframe tag?

wiranamaku | Last updated: Apr 17, 2020 08:51AM UTC

so Ben sorry if i'm wrong so it is like click jacking a website with xss payload inside iframe tag?

arie | Last updated: Apr 30, 2020 01:08AM UTC

tried pasting both server and lab url, putting the exploit in body store > deliver > view exploit nothing just a tiny iframe with no alerts or anything

Uthman, PortSwigger Agent | Last updated: Apr 30, 2020 08:01AM UTC

Are you following the instructions in the lab solution? Have you checked out any walkthroughs on YouTube?

Lulzash | Last updated: May 09, 2020 06:42AM UTC

Hey I am following all the instruction but no alert. Is my browser blocking that xss whats wrong I am not able to debug.

Uthman, PortSwigger Agent | Last updated: May 11, 2020 07:15AM UTC

Can you provide more detail on the exact steps you are following? What browser are you using?

Black | Last updated: Oct 03, 2020 06:30PM UTC

I'm having the same issue of not having the lab marked as completed despite trying my best to follow the solution. Pasted this: <iframe src="https://ac7f1f761e6c844a805a1d7001530061.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> into the body textarea of the server exploit page. After clicking Store - > View exploit, only a tiny iframe window loaded and no popup was triggered. Ran on Firefox 60.6.2esr (64-bit) (Kali 2019 Virtuabox) and Chrome Version 85.0.4183.121 (Official Build) (64-bit) on Windows 10.

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 09:26AM UTC

I just completed the lab with the instructions. Can you please try again? I removed the existing content in the Body box and replaced it with: <iframe src="https://<MY-LAB-ID>.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Select Store > Deliver to victim. The lab should mark as solved.

Black | Last updated: Oct 05, 2020 10:33AM UTC

Just tried this: <iframe src="https://<ac4c1fb41e70840e814c66a3012c008e>.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Hello World! was erased, but the same issue persisted. Lab was not marked as completed after storing the exploit. To add, when I clicked on View Exploit, div.icon.icon-generic showed up but no alert popup that showed the cookie. Also, 2 addblocks are installed on Chrome, but both are disabled are portswigger.net.

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 10:39AM UTC

Thanks. Can you try this in the latest version of Firefox?

Elias | Last updated: Nov 02, 2020 08:49PM UTC

Hello, I'm facing the same problem. I managed to trigger the alert of document.cookie in the exploit server. But the lab doesnt change to "Solved". I tried to follow the solutions of the lab too and i get the alert again, but the lab is still as "Not Solved". Any ideas what can i do?. The payload used in exploit server: <iframe src="https://acf41fb01ea2ee298046859f000e003d.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload="this.style.width='100px'" style="width: 100px;"> </iframe> https://imgur.com/a/XlpHN52 -> Image when i trigger the "alert(document.cookie)"

Uthman, PortSwigger Agent | Last updated: Nov 03, 2020 09:28AM UTC

Elias, I just tested this in the latest version of Firefox and it works. You need to paste your exploit into the Body > Replace your-lab-id with your lab ID (not the exploit server ID) > Store > Deliver exploit to victim. Can you wait for the lab to reset (~15 mins) and try again?

K | Last updated: Nov 28, 2020 05:54PM UTC

Since the lab is for reflected XSS if i put the same payload in the search bar it should get executed right? But it is not getting reflected...May I know how is this reflected XSS?

Uthman, PortSwigger Agent | Last updated: Nov 30, 2020 10:17AM UTC

Are you using the official solution? You should be able to view your exploit if you store it first and then select View exploit. You need to select Deliver exploit to victim once you know that it works. The XSS is actually reflected in the victim's browser. What are you pasting into the body on the exploit server?

Dhruv | Last updated: Apr 05, 2021 10:53AM UTC

I am solving this lab and I have gone through this link https://portswigger.net/web-security/cross-site-scripting/cheat-sheet. The payload works <math><x href="javascript:alert(document.cookie)>click" on clicking the "click" the payload works. But lab is not solved.

Uthman, PortSwigger Agent | Last updated: Apr 06, 2021 09:45AM UTC

Have you tried using the official solution?

Andrew | Last updated: Apr 14, 2021 07:19PM UTC

Hi, I'm having an issue with this as well. I've pasted the official solution and replaced "your-lad-id" with the lab id. I've also tried waiting for the lab to reset. I'm in the latest version of firefox. Steps: Go to exploit server, replace body with this: <iframe src="https://ac971f031e593b24805a96c901890087.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(1)%3E" onload=this.style.width='100px'> Click Store, then click Deliver exploit to victim. The lab does not show as solved. I've double and triple checked the lab id. When I click "view exploit", it takes me to https://ac971f031e593b24805a96c901890087.web-security-academy.net/exploit which shows a small scrollable window of exploit page.

Uthman, PortSwigger Agent | Last updated: Apr 15, 2021 08:21AM UTC

I just completed it with the instructions in the lab. Are you replacing your-lab-id with your lab ID? Or your exploit server ID? Can you please send a screen recording to support@portswigger.net?

Andrew | Last updated: Apr 17, 2021 05:51AM UTC

Ah, that's what it was. I didn't realize the URL on the exploit server page had the exploit server ID - I was thinking that was still the lab ID. Putting the lab ID from the main lab page in the body of the exploit server page worked. Had a feeling it was something super small like that, haha. Thanks!

Uthman, PortSwigger Agent | Last updated: Apr 19, 2021 08:16AM UTC

No problem! Let us know if you have any other issues.

PortManiaMasterAgain | Last updated: Jun 16, 2021 08:03AM UTC

Question! I have solved the lab. However, does anyone know why you only have to url-encode some parts of the iframe-body and not others? The solution iframe: <iframe src="https://your-lab-id.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> Why can you have '=' and '()' not url-encoded, but you have to have '">" and ' ' encoded (space)?

Khaled | Last updated: Nov 24, 2021 09:36PM UTC

Trying to solve the lab 'Reflected XSS into HTML context with most tags and attributes blocked' I can't get the benifit of using the part '" onload=this.style.width='100px'>' where exactly should it submitted, I mean what is the accurate tag should that part appended. Thanks,,

Uthman, PortSwigger Agent | Last updated: Nov 25, 2021 08:06AM UTC

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.