Lab: Reflected XSS protected by CSP, with CSP bypass
To solve the lab, perform a cross-site scripting attack that bypasses the CSP and calls the
Please note that the intended solution to this lab is only possible in Chrome.
Enter the following into the search box:
<img src=1 onerror=alert(1)>
- Observe that the payload is reflected, but the CSP prevents the script from executing.
In Burp Proxy, observe that the response contains a
Content-Security-Policyheader, and the
report-uridirective contains a parameter called
token. Because you can control the
tokenparameter, you can inject your own CSP directives into the policy.
Visit the following URL, replacing
your-lab-idwith your lab ID:
The injection uses the
script-src-elemdirective in CSP. This directive allows you to target just
scriptelements. Using this directive, you can overwrite existing
script-srcrules enabling you to inject
unsafe-inline, which allows you to use inline scripts.