The objective of this lab was to execute a Cross-Site
Scripting (XSS) attack in a search function protected by
a comprehensive blocklist WAF.
My goal was to identify whitelisted SVG tags, find a
compatible event handler that fires automatically, and
bypass a specific WAF filter to execute the alert() function.
2. Reconnaissance (Fuzzing)
I started by testing standard tags (
To map the attack surface, I used Burp Suite Intruder to
fuzz for allowed tags.
Payload: GET /?search=<§tag§>
Result: Most tags were blocked, but four specific SVG-related tags returned 200 OK:
<svg>
<animatetransform>
<image>
<title>
3. Vulnerability Analysis
I focused on because it is an
animation element. Animation elements have their own
lifecycle events, which can be abused to execute code
automatically without user interaction.
Event Enumeration
I fuzzed the tag for allowed event
handlers.
Standard events: onload and onerror were blocked or not applicable.
Animation events: I identified that onbegin is a valid event for this tag. It fires immediately when the animation starts.
The WAF Bypass (The Slash Trick)
When I attempted to use the event normally (
), the WAF blocked it. I
suspected the WAF was using a Regular Expression to
look for the pattern: `[SPACE]on[a-z]+=`.
To bypass this, I used the Slash Trick. HTML parsers treat
a forward slash (/) as a valid separator between the
tag name and the attribute, but many WAFs fail to
detect it.
- Blocked: ``
- Allowed: `<animatetransform/onbegin=1>`
##### 4. The Exploit Strategy
I constructed a payload using the allowed componenets:
1. Container: