Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Are the clickjacking labs no longer working?

Kim | Last updated: Mar 31, 2024 03:52AM UTC

Have been working on the clickjacking labs however it looks like cookies are not being passed to the iframe - when framing the site the my-account page is being redirected to the login page. I did these labs a couple of months ago & was able to complete them - has something changed recently? Tried in both Firefox + Chrome.

Kim | Last updated: Mar 31, 2024 04:53AM UTC

I had to enable third party cookies in firefox & chrome settings- not sure why I didn't have to do that before.

Kim | Last updated: Mar 31, 2024 04:58AM UTC

https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/ <- the labs + exam should be updated/or mention that 3rd party cookies need to be enabled.

Ben, PortSwigger Agent | Last updated: Apr 01, 2024 06:16AM UTC

Hi Kim, The embedded browser within the latest versions of Burp has a flag enabled by default that is causing issues with these labs. In ther interim, whilst we resolve this issue, you should still be able to use a normal version of Chrome to complete the labs, however (the flag is not enabled in Chrome). To clarify, does this also not work for you?

Ben | Last updated: Jun 25, 2024 07:53PM UTC

The exploit works for me in regular chrome, but is not working for the victim browser

Ben, PortSwigger Agent | Last updated: Jun 26, 2024 06:56AM UTC

Hi Ben, Do you have details of what your exploit looks like and what you see when you view the exploit?

Ben | Last updated: Jun 26, 2024 01:50PM UTC

The "click" button is pressed from my logged-in session, changing the email or deleting the user, it's exactly what is supposed to happen. I used Clickbandit to build the PoCs.

mazhar | Last updated: Jul 09, 2024 03:30AM UTC

i have the same issue. and i am a chrome user. when i view the exploit the "Click me" button is placed directly on the "update email" button but still the victim doesm't click on the button.

Ben, PortSwigger Agent | Last updated: Jul 09, 2024 07:48AM UTC