To solve the lab, perform a cross-site scripting attack that bypasses the CSP and calls the alert function.
- Enter the following into the search box:
<img src=1 onerror=alert(1)> - Observe that the payload is reflected, but the CSP prevents the script from executing.
- In Burp Proxy, observe that the response contains a
Content-Security-Policyheader, and thereport-uridirective contains a parameter calledtoken. Because you can control thetokenparameter, you can inject your own CSP directives into the policy. - Visit the following URL, replacing
YOUR-LAB-IDwith your lab ID:https://YOUR-LAB-ID.web-security-academy.net/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27
The injection uses the script-src-elem directive in CSP. This directive allows you to target just script elements. Using this directive, you can overwrite existing script-src rules enabling you to inject unsafe-inline, which allows you to use inline scripts.