Lab level → Expert
Lab Link → Lab-event-handlers-and-href-attributes-blocked
XSS Cheat Sheet → https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
Note → This blog is only a part of my Portswigger notes. So, bear with me for any half explanation or unclear notes.
Not Allowed Tags/Events/href-attribute →
Anchor href attribute {Error: Attribute not allowed}
All events {Error: Events are not allowed}
< script > tag {Error: This tag is not allowed}
Allowed tags →
<svg>
<animate>
{svg element}
<animateattribute>
{animate tag’s attribute for modifying any specific attribute}
Note: encodeURIComponent() { Used for URL-Encoding the supplied input in the related field.}
📍 Approach and Solution for Lab →
Lab description stated, it has some whitelisted tags. So, We checked the basic payload i.e. <script>alert(1)</script>
into the search bar and sent the request.
- The server sent the error response saying “This tag is not allowed” which means the
<script>
tag is not in the whitelisted tags.
We tried next our <svg>
tag payload i.e. <svg onload=alert(1)>
, This time we got the error saying “Events are not allowed”.
This is pretty much evident that our <svg>
tag was approved and it shifted its focus to the next part of the payload which was an event handler due to which we got the respective error. We got our whitelisted tag → “<svg>
”
You can also try using intruder to test all the tags through burpsuite and check the response body for determining the allowed tags.
The list of all tags is provided by portswigger in the XSS cheatsheet.
Now, we need to figure out a way to inject a vector/payload into a page which could be clicked and triggered. While going through the Portswigger XSS cheat sheet and filtering the payloads only for <svg>
tags we stumbled upon a payload under Protocols category.
Payload →
<svg><animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>Click me</text></a>
(Explained Later)
- First, If we simply try giving this payload into our search bar and send the request, it will give us the error saying the attributes are not allowed.
- This is because the server detected that the animate tag is using
xlink:href
attribute which is similar to the href attribute in <a>
tag.
- So, we need to find any other way of using the
<a>
to make our <svg>
payload clickable for the user without using any events or the href attribute.
Note: The xlink:href=#xss
attribute specifies that the animation should target the element with the ID “xss”.
- Next, To counter this problem, We used the
<a>
as a container/wrapper tag to contain the content/code we needed.
- Now, In the payload given below, we included
<animate>
tag into the <a>
tag which made it possible to make our malicious payload included in the <animate>
tag “clickable and executable”.
- This made it possible to completely make it exploitable and we solved the lab. {Explanation for the payload at the last of the document}
Note: <animate>
tag is a SVG element used to animate SVG graphics. It can also be used to change the values of certain attributes.
Final Payload:
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>
📍 Payload Explanation →
<svg>
tag: Used for displaying vector-based text,images, etc. in a web page. Here it is working as a container tag.
<a>
tag: anchor tag to create hyperlinks. Also working as the container tag to include the actual malicious code and make it clickable.
<animate>
element of <svg>
tag: Used to animate SVG graphics. It also allowed us to change the value of certain attributes which in this case was the href attribute of <a>
tag.
<attributeName=href values=javascript:alert(1)>
tag: As stated above, we are modifying the value of href INDIRECTLY through animate tag. This makes it possible for <a>
tag to have href attribute. Also, the value we gave for the href attribute was “javascript:alert(1)
”. This will execute and display an alert box.
<text x=20 y=20>Click me</text>
tag: This is also an svg
element. Used to display the text on the web page. We made our whole payload but we need to make it visible for the victim so that he/she can click on it. For that we created a text saying “Click me”. This whole thing was included in the <a>
anchor tag to make the text clickable and execute the content behind it.
😁Finally at the end we closed the <a>
tag using </a>
Final execution of the payload in the web app source code will look something like this in the response →
<svg>
<a>
<animate attributeName=href values=javascript:alert(1) />
<text x=20 y=20>Click Me</text>
</a>
</svg>
📍 References →
SVG attributes and elements
<animate>
element
Introduction to Anchor tag
Valid to use an anchor tag without href attribute?
Link to the Payload Crafted & Used
URL encoding using encodeURIComponent()
Handy XSS payload resource