Trigger `alert(1)` using a reflected XSS vector where most HTML/JS tags and attributes are [**blocked by server-side filtering**, **except for specific SVG elements and event attributes**](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed). ``` <img src=1 onerror=alert(1)> ``` Thats the base, lest think how we can cause that. ##### Strategy: Test to Find What Works #### **Step 1: Tag Fuzzing with Burp Intruder** 1. Replace payload: `<§§>` 2. Load XSS tag list (from [PortSwigger cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) 3. Start attack ![[CleanShot 2025-04-09 at 19.13.46.png]] **Observation:** |Tag|Status| |---|---| |`<script>`|❌ Blocked (400)| |`<img>`|❌ Blocked (400)| |`<svg>`|✅ Allowed (200)| |`<animatetransform>`|✅ Allowed (200)| |`<title>`, `<image>`|✅ Allowed (200)| **→ Only certain SVG tags bypass the filter** ![[CleanShot 2025-04-09 at 19.17.23.png]] Investigate: ![[CleanShot 2025-04-09 at 19.18.58.png]] #### **Step 2: Attribute Fuzzing with Allowed Tag** 1. Replace payload with: `<svg><animatetransform §§=1>` 2. Load list of SVG-friendly event attributes (e.g. `onbegin`, `onload`, `onend`, etc.) 3. Start attack ![[CleanShot 2025-04-09 at 19.20.49.png]] **Observation:** |Attribute|Status| |---|---| |`onload`, `onclick`|❌ Blocked (400)| |`onbegin`|✅ Allowed (200)| **→ `onbegin` can be used for code execution** ![[CleanShot 2025-04-09 at 19.20.26.png]] --- ##### Final Payload **Working XSS vector:** ```html <svg><animatetransform onbegin=alert(1)> ``` **Or the one from cheatsheet:** ```html <svg><animatetransform onbegin=alert(1) attributeName=transform> ``` ✅ Works with or **without** the `attributeName` ✅ **No user interaction** required ✅ Executed immediately during SVG parsing/rendering #### Why It’s Beautiful (and Dangerous) - The payload **completely bypasses filters** for `<script>`, `<img>`, `onerror`, etc. - **SVG is parsed by a separate engine** in the browser, with unique tag/event combinations (like `onbegin`) - **Browser decodes URL-encoded payloads** as part of DOM injection, no need to pre-decode - Even without animation being "visibly active", certain tags like `<animatetransform>` **trigger lifecycle events** that can be hijacked