When you have that feeling an input is vulnerable to XSS but something is blocking or removing the payload, you can use this relatively simple trick using Burp Suite’s Intruder to discover which XSS tags and attributes are able to bypass the block.
It should be somewhat obvious when you input a value containing an common XSS payload that the request is being blocked or stripped, it could be by a piece of custom code or a WAF.
The request:
GET /?search=test HTTP/1.1
is returning:
HTTP/1.1 200 OK
However:
GET /?search=<svg/onload=prompt()>
is returning:
HTTP/1.1 400 Bad Request
or perhaps:
GET /?search=<script>test</script> HTTP/1.1
has it’s tags stripped and searching for:
0 search results for 'test'
Thanks to the great work done by Port Swigger research, we have an comprehensive and regularly updated cheat sheet for XSS events and tags.
Let’s go ahead and send the request to Intruder and highlight the input between the tags < >
Next, visit the cheat sheet and scroll down to Event handlers and click Copy tags to clipboard
Go back to intruder and in the Payloads tab, have Paylod type as Simple list and click Paste for Payload Options and start the attack
View the results and if you’re lucky, you might get a few different responses for certain tags:
Now we know the <body>
tag is not being blocked or stripped, let’s move onto building the rest of our XSS payload and add an event. Go back to intruder, add <body
to the value, include a %20
to include a URL friendly space, and highlight where we will add the event and finaly add a =
which will be in our final XSS payload:
This time go back to the cheat sheet and click Copy events to clipboard, go back to the Payloads tab, clear the previous Payload Options and Paste in the events and start the attack.
View the results and if you’re lucky again you will get some different responses for certain events:
Now have sucessfully got a tag and event bypassed, and an XSS fired off!