Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3

This content originally appeared on DEV Community and was authored by Kenny Cipher

target：

• Lab URL:

https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed

• Tools Used:

1. browser

2. Burp suite

Vulnerability Summary：

• Type:

Reflected XSS

• Description:

Steps to Exploit：

1.Determine that this is a reflected XSS vulnerability because the input appears directly in the HTML response.

2.Submit the payload alert(1) to test whether script execution is possible.

3.Observe that the <script> tag is blocked, then use Burp Intruder to analyze the filtering mechanism

4.Observe that most payloads return a 400 response, while payloads using tags such as <svg>, <animatetransform>, <title>, and <image> return a 200 response.

5.Select one allowed tag and use Intruder to test which attributes are permitted.

6.Construct a working payload based on the allowed tags and attributes to trigger the XSS.

Remediation：

The application should implement proper context-aware output encoding to prevent user-supplied data from being interpreted as executable code. All inputs must be safely encoded before being rendered in the browser.

Additionally, input validation should be enforced to block dangerous patterns such as "javascript:" URLs. The use of secure frameworks with built-in XSS protection and the implementation of a Content Security Policy (CSP) are recommended to further reduce risk.

Lessons Learned：

This lab demonstrates that even when common tags like <script> are blocked, XSS can still be achieved by leveraging less restricted tags such as SVG. By systematically analyzing the filtering behavior with tools like Burp Intruder, attackers can identify allowed tags and attributes and craft a payload that bypasses the filter. Effective defense requires proper output encoding and avoiding reliance on blacklist-based filtering.

This content originally appeared on DEV Community and was authored by Kenny Cipher

Print Share Comment Cite Upload Translate Updates

APA

Kenny Cipher | Sciencx (2026-03-19T09:43:50+00:00) Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3. Retrieved from https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/

MLA

" » Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3." Kenny Cipher | Sciencx - Thursday March 19, 2026, https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/

HARVARD

Kenny Cipher | Sciencx Thursday March 19, 2026 » Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3., viewed ,<https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/>

VANCOUVER

Kenny Cipher | Sciencx - » Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/

CHICAGO

" » Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3." Kenny Cipher | Sciencx - Accessed . https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/

IEEE

" » Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3." Kenny Cipher | Sciencx [Online]. Available: https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/. [Accessed: ]

rf:citation

» Cross-site scripting – Reflected XSS | PortSwigger Lab Note #3 | Kenny Cipher | Sciencx | https://www.scien.cx/2026/03/19/cross-site-scripting-reflected-xss-portswigger-lab-note-3/ |

Please log in to upload a file.

There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.