Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Are the clickjacking labs no longer working?

Kim | Last updated: Mar 31, 2024 03:52AM UTC

Have been working on the clickjacking labs however it looks like cookies are not being passed to the iframe - when framing the site the my-account page is being redirected to the login page. I did these labs a couple of months ago & was able to complete them - has something changed recently? Tried in both Firefox + Chrome.

Kim | Last updated: Mar 31, 2024 04:53AM UTC

I had to enable third party cookies in firefox & chrome settings- not sure why I didn't have to do that before.

Kim | Last updated: Mar 31, 2024 04:58AM UTC

https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/ <- the labs + exam should be updated/or mention that 3rd party cookies need to be enabled.

Ben, PortSwigger Agent | Last updated: Apr 01, 2024 06:16AM UTC

Hi Kim, The embedded browser within the latest versions of Burp has a flag enabled by default that is causing issues with these labs. In ther interim, whilst we resolve this issue, you should still be able to use a normal version of Chrome to complete the labs, however (the flag is not enabled in Chrome). To clarify, does this also not work for you?

Ben | Last updated: Jun 25, 2024 07:53PM UTC

The exploit works for me in regular chrome, but is not working for the victim browser

Ben, PortSwigger Agent | Last updated: Jun 26, 2024 06:56AM UTC

Hi Ben, Do you have details of what your exploit looks like and what you see when you view the exploit?

Ben | Last updated: Jun 26, 2024 01:50PM UTC

The "click" button is pressed from my logged-in session, changing the email or deleting the user, it's exactly what is supposed to happen. I used Clickbandit to build the PoCs.

mazhar | Last updated: Jul 09, 2024 03:30AM UTC

i have the same issue. and i am a chrome user. when i view the exploit the "Click me" button is placed directly on the "update email" button but still the victim doesm't click on the button.

Ben, PortSwigger Agent | Last updated: Jul 09, 2024 07:48AM UTC

Hi Mazhar, Are you able to email us at support@portswigger.net and include some screenshots of what you are seeing when you view the exploit and what your exploit actually looks like so that we can take a look at this for you?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.