Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Academy reflected xss lab not working

Mark | Last updated: Jul 20, 2020 10:55AM UTC

I ma trying to complete this lab: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies I don't have burp professional so I instead use: https://webhook.site/ to send the user cookie to but it doesn't work. After posting the comment I can see only my requests (with my cookie) going to my webhook url. It seems like the victim user simulation reading blog posts is not working

Hannah, PortSwigger Agent | Last updated: Jul 20, 2020 12:20PM UTC

Did you try adapting the attack to make the victim post their cookie within a blog comment by exploiting the XSS to perform CSRF instead, as you are unable to use the public Burp Collaborator server?

Mark | Last updated: Jul 20, 2020 01:27PM UTC

Yes I tried and even if I was able to let the victim post his session cookie in a comment, the lab is still marked as not solved

Mark | Last updated: Jul 20, 2020 01:27PM UTC

Yes I tried and even if I was able to let the victim post his session cookie in a comment, the lab is still marked as not solved

Mark | Last updated: Jul 20, 2020 01:27PM UTC

Yes I tried and even if I was able to let the victim post his session cookie in a comment, the lab is still marked as not solved

Hannah, PortSwigger Agent | Last updated: Jul 20, 2020 01:33PM UTC

You will need to use the cookie to impersonate the victim.

Mark | Last updated: Jul 20, 2020 02:34PM UTC

Thank you it worked now :) Just wondering why it didn't work the other way. Posting a request to https://webhook.site/

Hannah, PortSwigger Agent | Last updated: Jul 21, 2020 09:01AM UTC