In this write-up I will be showing my thought process behind solving the aforementioned Portswigger Academy challenge. DISCLAIMER! This write-up contains the answer to the challenge, so if you are here for hints, watch out:)

After taking a look around the website, there were two possibilities for where the reflected XSS vulnerability could be; either in the comment field which can be found under each post or the search functionality.

I started by testing out the search functionality with different inputs, to see how it would react, and by simply giving "<a>hola</a>" as input, the website reflected only 'hola'. When inspecting the website DOM, this is what it looked like:

None

This means that we've found our attack vector. Now i needed to figure out what kind of payload would fire an 'alert()'.

To be completely honest, I was a bit stuck at this point. I did try writing the tags and attributes with different cases. I tried SVG tags, which would come in handy in the end, but could not see it now. I tried a lot, so after a while I turned to researching on the web.

This led me to prompting Copilot for any ideas, and the first one it came up with was the one that solved the lab, and here is how it looks like:

<svg>
  <a>
    <animate attributeName="href" values="javascript:alert(1)"/>
    <text x="20" y="20">Click me</text>
  </a>
</svg>

This was the first time I've seen something like this. This code above basically sets the attribute and the value of the attribute in an anchor tag indirectly, effectively bypassing the filter.

Put in another way: the "<animate>" tag, that is inside the anchor tag, sets the attribute and its value somewhat dynamically (this is how I understand it, may not be totally correct). Per definition on W3Schools, "… animates an attribute of an element". Then, at the end, we add some text so that the element is actually visible and clickable. And that is how I solved the lab.

Thank you for taking the time to read this write-up! This is one of my first stories here on Medium, although maybe some time has passed and you are reading this at a later date, but do make sure to check out the few others that I have posted.