Enter the following into the search box:
<img src=1 onerror=alert(1)>
Observe that the payload is reflected, but the CSP prevents the script from executing.
In Burp Proxy, observe that the response contains a Content-Security-Policy header, and the report-uri directive contains a parameter called token. Because you can control the token parameter, you can inject your own CSP directives into the policy.
Visit the following URL, replacing your-lab-id with your lab ID:
The injection uses the script-src-elem directive in CSP. This directive allows you to target just script elements. Using this directive, you can overwrite existing script-src rules enabling you to inject unsafe-inline, which allows you to use inline scripts.
Want to track your progress and have a more personalized learning experience? (It's free!)