Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack - attack successful but not marked as solved

Ken | Last updated: Apr 05, 2022 06:01PM UTC

Hi there, First of all thanks so much for the awesome web security academy. I've done many of the labs without problem but strangely with the captioned lab, it just doesn't seem to recognize the fact that my attack was successful. I'm pretty sure it's successful because I did see some requests with a CSRF token in my Burp Collaborator client. The solution I used involved injecting a <form> with a <button type=submit>Click me</button> and the CSRF token is enclosed in the form. I've tried the following: - Waiting for the lab to time out and trying the same attack on a new instance - Using target=_blank for the form - Using both GET and POST for the form In each of the attempt above, I verified that I did get a CSRF from the simulated victim. But still the lab is not marked solved. Your help would be much appreciated.

Hannah, PortSwigger Agent | Last updated: Apr 06, 2022 09:09AM UTC

Hi Could you clarify how you verified that you got a CSRF token from the victim? In the solution provided, they use the CSRF token to modify the victim's email address. Have you performed the same action with your captured CSRF token?

Ken | Last updated: Apr 06, 2022 01:43PM UTC

Hi Hannah, First off I didn't actually peek at any of the answers (despite the apparent hiccup) because I've decided to solve each and every lab on my own for the purpose of learning. And given that my experience with all other labs so far was that the descriptions were specific and precise with respective to the objective, I never had a doubt that the sole mission for this lab was to "bypass the CSP and exfiltrate the CSRF token using Burp Collaborator" (quoted from the lab description, and which I already did). Anyway, taking your advice, I did try and successfully change the victim's email address, and that indeed triggered the lab to be solved. So, thank you very much for the tips. As a suggestion though, it might perhaps make sense to describe the objective more precisely, just like all other labs. Once again thank you very much for such a fantastic platform.

Hannah, PortSwigger Agent | Last updated: Apr 06, 2022 02:25PM UTC