Solution for PortSwigger’s Lab: XSS with some SVG markup allowed

The following is my documentation on PortSwigger’s Academy labs.

End Goal: Use an XSS attack to call an alert() function

Just like in our previous two labs, we will be using Burp Suite to automate our task of finding out which tags and events are allowed past our WAF (Web Application Firewall). For a detailed, step-by-step write-up on how to do that in BurpSutie, go here. The rest of this write-up will assume that one knows how to take these steps, but for a quick refresher:

  1. Search for a random string in the target’s search box and capture the results in Burp Suite
  2. Send results to Intruder
  3. Replace the string with <>, create two payloads between the angle brackets, and paste the tags found on our XSS cheat sheet into the payload list
  4. look for 200 responses
  5. Repeat with the XSS cheat sheet events pasted into our payload list
  6. look for 200 responses
  7. Craft the final exploit payload and place it in our target site’s search box

Investigating our target site

Right off the bat we’ll try a classic payload and see how the target site responds. We’ll enter the following into our search box:

<img src=1 onerror=alert(1)>

After trying our payload we get the immediate message:

“Tag is not allowed”. Well, now that we know for sure that the WAF is blocking common HTML tags. It is at this point that we would either go through a list of tags ourselves, searching until the page loaded without an error. This would take a very, very long time, however, so as mentioned at the top, this is where we would use Burp Suite to do it for us.

Our XSS exploit payload using SVG and an animateTransform element

Once we let Burp Suite do its thing we come across SVG as a valid tag and animateTransform as a valid element. Groovy. We can immediately test them out in the search box. We do this, not because we doubt Burp Suite, it gave us a 200 response for both of them, after all, but rather to have a better understanding of how the page is treating them.

“…the first step in exploiting something is making it work the way it’s suppsed to work first, because if you can’t do that it’s really hard to make it do something it’s not supposed to do.”1

Tomnomnom

Paste the following into our target site’s search box:

<svg><animateTransform>

When we inspect the results with our Development Tools we see the following:

Not only is our tag and element allowed, but it has escaped any kind of double or single quotes in our search. Let’s dig deeper and learn a little bit more about them.

Our freind’s at MDN have this to say about SVG:

“The svg element is a container that defines a new coordinate system and viewport. It is used as the outermost element of SVG documents, but it can also be used to embed an SVG fragment inside an SVG or HTML document.”2

Knowing this, we can then be curious about animateTransform:

The animateTransform element animates a transformation attribute on its target element, thereby allowing animations to control translation, scaling, rotation, and/or skewing.3

The important part here is that animateTransform triggers an event. We can add onbegin to our payload after animateTransform, this tells the browser that upon beginEvent that it needs to do something more. In this case, that something more will be our alert function. We now have the following payload:

<svg><animateTransform onbegin=alet(docment.cookie)>

As we saw when we inspected the results of our previous payload, we don’t need to add an end tag to either tag as they will be automatically closed by our search.

Now all we need to do is hit that search button.

We have our alert populated, which you know what that means…

We solved our lab!

Notes

The past three labs (with this one included) have been very similar. I believe that they are here to really cement the power of Burp Suite’s Intruder tool, as well as strengthen our skills with it through repetition. My biggest takeaway, however, has been the importance of knowing what you are breaking before you break it. The skills I am personally walking away with that I adore are being sure to research the target site with our dev tools, and to be curious and look up the tags that Burp finds. I could just let Burp Suite do its thing and find the exploits for me, but I would walk away with little understanding of why they work. I plan on bringing this learned mindset to Bug Bounty hunting, once I am comfortable enough with my skills and knowledge to do so. Until then, more labs await!

I referenced the community solution by iNTiGRiTi when doing this write-up. For more of my references see my footnotes below.

Footnotes:

  1. Hacker101 – JavaScript for Hackers (Created by @STOKfredrik) ↩︎
  2. MDN Documents SVG ↩︎
  3. MDN Documents animateTransform ↩︎
–=⛧⛧⛧=– About the author: Michael Fitzgerald is a penetration tester, post-apocalyptic parody author, and a mad scientist. –=⛧⛧⛧=–
One thought on “Solution for PortSwigger’s Lab: XSS with some SVG markup allowed”
  1. Pingback: Solution for PortSwigger Academy Lab: Reflected XSS in canonical link tag – 1nfornography
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Filed under: Cybersecurity,Pentesting,PortSwigger Academy,XSS attack - @ January 6, 2024 2:56 am