LAB 14 - Reflected XSS into HTML context with most tags and attributes blocked

Initial instructions

This lab contains a reflected XSS vulnerability in the search functionality but uses a web application firewall (WAF) to protect against common XSS vectors.

To solve the lab, perform a cross-site scripting attack that bypasses the WAF and calls the print() function.

For this lab I will start by entering a normal XSS payload.

But if I send it will block de tag.

So I intercepted the request with Burpsuite. And I send it to the intruder.

Now I will run a custom XSS list containing a list of tags.

And I started the attack, the ones that gave me status code 200 are the ones we need to use.

Now lets build the initial payload and lets load all the events in a list.

And lets run again, so I got many 200 status code values.

Once we know this I built the following XSS payload. And then I delivered to the victim via an iframe.

"><body onresize=print()>

Congratulations, you solved the lab!