Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Reflected XSS protected by CSP, with CSP bypass

EXPERT

This lab uses CSP and contains a reflected XSS vulnerability.

To solve the lab, perform a cross-site scripting attack that bypasses the CSP and calls the alert function.

Please note that the intended solution to this lab is only possible in Chrome.

ACCESS THE LAB

Solution

  1. Enter the following into the search box:

    <img src=1 onerror=alert(1)>
  2. Observe that the payload is reflected, but the CSP prevents the script from executing.
  3. In Burp Proxy, observe that the response contains a Content-Security-Policy header, and the report-uri directive contains a parameter called token. Because you can control the token parameter, you can inject your own CSP directives into the policy.

  4. Visit the following URL, replacing YOUR-LAB-ID with your lab ID:

    https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27

The injection uses the script-src-elem directive in CSP. This directive allows you to target just script elements. Using this directive, you can overwrite existing script-src rules enabling you to inject unsafe-inline, which allows you to use inline scripts.

Community solutions

Michael Sommer

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find XSS vulnerabilities using Burp Suite

Try for free