Lab: Reflected XSS protected by CSP, with CSP bypass
- Maryam Ziaee
- Sep 22
- 1 min read
This lab uses CSP and contains a reflected XSS vulnerability.
To solve the lab, perform a cross-site scripting attack that bypasses the CSP and calls the alert function.
Enter the following into the search box:
<img src=1 onerror=alert(1)>
Observe that the payload is reflected, but the CSP prevents the script from executing.
In Burp Proxy, observe that the response contains a Content-Security-Policy header, and the report-uri directive contains a parameter called token. Because you can control the token parameter, you can inject your own CSP directives into the policy.
The injection uses the script-src-elem directive in CSP. This directive allows you to target just script elements. Using this directive, you can overwrite existing script-src rules enabling you to inject unsafe-inline, which allows you to use inline scripts.
Comments