Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack - attack successful but not marked as solved

Ken | Last updated: Apr 05, 2022 06:01PM UTC

Hi there, First of all thanks so much for the awesome web security academy. I've done many of the labs without problem but strangely with the captioned lab, it just doesn't seem to recognize the fact that my attack was successful. I'm pretty sure it's successful because I did see some requests with a CSRF token in my Burp Collaborator client. The solution I used involved injecting a <form> with a <button type=submit>Click me</button> and the CSRF token is enclosed in the form. I've tried the following: - Waiting for the lab to time out and trying the same attack on a new instance - Using target=_blank for the form - Using both GET and POST for the form In each of the attempt above, I verified that I did get a CSRF from the simulated victim. But still the lab is not marked solved. Your help would be much appreciated.

Hannah, PortSwigger Agent | Last updated: Apr 06, 2022 09:09AM UTC

Hi Could you clarify how you verified that you got a CSRF token from the victim? In the solution provided, they use the CSRF token to modify the victim's email address. Have you performed the same action with your captured CSRF token?

Ken | Last updated: Apr 06, 2022 01:43PM UTC

Hi Hannah, First off I didn't actually peek at any of the answers (despite the apparent hiccup) because I've decided to solve each and every lab on my own for the purpose of learning. And given that my experience with all other labs so far was that the descriptions were specific and precise with respective to the objective, I never had a doubt that the sole mission for this lab was to "bypass the CSP and exfiltrate the CSRF token using Burp Collaborator" (quoted from the lab description, and which I already did). Anyway, taking your advice, I did try and successfully change the victim's email address, and that indeed triggered the lab to be solved. So, thank you very much for the tips. As a suggestion though, it might perhaps make sense to describe the objective more precisely, just like all other labs. Once again thank you very much for such a fantastic platform.

Hannah, PortSwigger Agent | Last updated: Apr 06, 2022 02:25PM UTC

Glad to hear that helped you solve the lab!

I've passed your feedback on to our Academy team, and we'll look into whether the lab description needs amending.

If there's anything else we can help with, then please let us know!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.