Reflected XSS protected by CSP, with CSP bypass


The website in this lab uses CSP and contains a reflected XSS vulnerability.

Reproduction and proof of concept

  1. Enter the following into the search box:

<img src=1 onerror=alert(1)>
  1. Note the payload is reflected, but the CSP prevents the script from executing.

  2. In Burp Proxy, observe that the response contains a Content-Security-Policy header, and the report-uri directive contains a parameter called token. Because you can control the token parameter, you can inject your own CSP directives into the policy.

Content-Security-Policy: default-src 'self'; object-src 'none';script-src 'self'; style-src 'self'; report-uri /csp-report?token=
  1. Visit the following URL, replacing 0a87000e04aa4aacc0a72cd800b1007d with your lab ID:;script-src-elem%20%27unsafe-inline%27

The injection uses the script-src-elem directive in CSP. This directive allows for targeting just script elements. Using this directive, it is possible to overwrite existing script-src rules enabling unsafe-inline injections, which allows for using inline scripts.