Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab Solution clarification

Suomynona | Last updated: Feb 07, 2022 06:21AM UTC

Lab: "Reflected XSS into HTML context with all tags blocked except custom ones" <a href=https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked>https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked</a> I would like some help understanding what I'm missing... Is this method any different than manually putting in the url this: https://your-lab-id.web-security-academy.net/?=<xss+id=x+onfocus=alert(document.cookie)%20tabindex=1>#x Also, side-note, the solution seems a bit finicky, and wasn't accepted at first, not to mention the fact that the alert doesn't come up even when it says it was solved/when you view the solved version. Could anyone tell me why? I apologize as I'm rather new to XSS and may need thorough explanations. **SPOILERS** Solution says: 1. Go to the exploit server and paste the following code, replacing your-lab-id with your lab ID: <script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> 2. Click "Store" and "Deliver exploit to victim". This injection creates a custom tag with the ID x, which contains an onfocus event handler that triggers the alert function. The hash at the end of the URL focuses on this element as soon as the page is loaded, causing the alert payload to be called.

James, PortSwigger Agent | Last updated: Feb 08, 2022 10:31AM UTC

Hello,

Thanks for your message.

I have checked this lab and it is working as expected. The solution was accepted on the first attempt and the alert came up when viewing the exploit.

How this lab works is that the exploit server delivers your payload to a simulated "victim", who visits the page. You can see this in the "access log" and confirm the "victim" has visited the exploited page.

Please check the community solution video for the lab for an example of the steps.

Here is a link to learn more about XSS: https://portswigger.net/web-security/cross-site-scripting

Suomynona | Last updated: Feb 08, 2022 11:08PM UTC

Thank you, though I would like to know the real world scenario equivalent to utilizing the "exploit server" feature. And how that differs from manually putting it in the url.

James, PortSwigger Agent | Last updated: Feb 09, 2022 02:39PM UTC

Hello,

In a real world scenario you would likely have your own server set up in order to host and deliver exploits. Using this method is just a convenient way to set up and deliver exploits to a "victim".

The URL in the script performs the same task, but this exposes the payload.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.