C================================================================================
C ██ ██ ██ ██ ██
C ████ ██ ██ ██ ██ ██ ████
C ██████ ██████ █████ ████ ██████ ██████
C ████ ██ ██ ██ ██ ██ ██ ██ ████
C ██ ██████ ██ ██ ██ ██ ██████ ██
C
C [MEDIUM ARTICLE: XSS & MALICIOUS SVG+XML]
C [RUNNER: >dr.kb< feat. #OG THE ORIGINAL GLITCH]
C [AFFIL: multiverse-lib bkornpob.github.io]
C [ARCHIVE ENTRY: PENTESTERLAB FREE FEB2026]
C
C TAGS:
C #XSS
C #FilterBypass
C #SVG/XML/XSS
C #JavaScript
C #WebSecurity
C================================================================================
C>> ARTICLE BEGINS...
C
C 🌐 INTRODUCTION
C Cross-Site Scripting is a classic, but filters evolve.
C PentesterLab's Feb 2026 XSS series teaches:
C 1. Basic reflection.
C 2. Static filter evasion.
C 3. MIME/extension confusion.
C Three labs, three lessons. 🔓
C
C 🎯 OBJECTIVE
C • Solve XSS-01, XSS-05, SVG-XSS labs.
C • Bypass blacklists, whitelists, and MIME checks.
C • Understand how client/server validation fails.
C
C 🔍 RECON PHASE
C 1. Identify injection points.
C 2. Analyze filters (client/server side).
C 3. Test payloads incrementally.
C 4. Verify execution contexts.
C
C ⚙️ EXPLOITATION WALKTHROUGH
C
C LAB 1: BASIC REFLECTED XSS (XSS-01)
C • Vulnerability: `name` parameter reflects unsanitized.
C • Payload: `<script>alert(UUID)</script>`.
C • URL encode and inject.
C • Result: Immediate pop-up.
C • Lesson: Always sanitize reflected inputs.
C
C LAB 2: ALERT FILTER BYPASS (XSS-05)
C • Filter: Blacklists string "alert".
C • Bypass: Use `eval(String.fromCharCode(...))`.
C • Tool: Python to convert "alert(UUID)" to ASCII codes.
C • Payload:
C <script>
C eval(String.fromCharCode(97,108,101,114,116,40,39,98,57,...))
C </script>
C • Result: Alert executes without "alert".
C • Lesson: Static filters can't catch dynamic execution.
C
C LAB 3: SVG UPLOAD XSS (SVG-XSS)
C • Filter: Whitelists `.jpg` extension only.
C • Bypass: Upload `.jpg` with `Content-Type: image/svg+xml`.
C • Payload: SVG containing `<script>alert(UUID)</script>`.
C • Request modification:
C Content-Disposition: form-data; filename="anything.jpg"
C Content-Type: image/svg+xml
C • Result: Server serves as SVG → script runs.
C • Lesson: MIME confusion = exploitation vector.
C
C 🧠 KEY INSIGHTS (FOR INTERMEDIATE LEARNERS)
C • Blacklists are fragile; context-aware encoding breaks them.
C • Client-side filters can be bypassed with encoding tricks.
C • Server-side MIME handling often trusts client headers.
C • Polyglot files aren't always needed—sometimes simpler is better.
C • Always test both extension and Content-Type validation.
C
C 📝 PSEUDO-CODE (SIMPLIFIED)
C
C # XSS-05 Bypass
C import sys
C s = "alert('b95b1ba2-ee9b-4756-9788-a06b7c31c43d')"
C codes = ','.join(str(ord(c)) for c in s)
C print(f"eval(String.fromCharCode({codes}))")
C
C # SVG-XSS Upload
C # Build multipart request with:
C # filename="exploit.jpg"
C # Content-Type: image/svg+xml
C # body: <?xml...><svg><script>alert(...)</script></svg>
C
C 🔗R FO SEEKERS & DEEPER DIVERS
C • [Complete run logs](2026-02-01.md) 📄
C • [Payload repository](https://github.com/.../xss-feb2026) 🔓
C
C 📌 FINAL THOUGHTS
C Filters are speed bumps, not walls.
C Validation must be consistent across layers.
C Trust no input—even from headers.
C Stay silent, stay sharp, stay secure.
C
C 👋 UNTIL NEXT BREAK
C Keep breaking. Keep learning. Keep glitching.
C >dr.kb< & #OG signing off. ✍️🔐
C
C================================================================================
