Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Basic clickjacking with CSRF token protection can't be solved

Mikaelvel | Last updated: Jun 17, 2023 05:58AM UTC

https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected I have tried with firefox and chrome.I am doing exactly what the solution says and I have also watched the community solutions.But none of them work because I am seeing the login page instead of my-account with this code: <style> iframe { position:relative; width:700; height: 500; opacity: 0.5; z-index: 2; } div { position:absolute; top:100; left:100; z-index: 1; } </style> <div>Test me</div> <iframe src="https://0aff00130496ab968015b72a004e0007.web-security-academy.net/my-account"></iframe> I suspect that the issue is that when I click on my account I see this url: https://0aff00130496ab968015b72a004e0007.web-security-academy.net/my-account?id=wiener maybe you can fix this by changing it to my-account instead of my-account=username.

Mikaelvel | Last updated: Jun 17, 2023 06:00AM UTC

I have the same problem with this lab: Clickjacking with form input data prefilled from a URL parameter

Dominyque, PortSwigger Agent | Last updated: Jun 19, 2023 02:01PM UTC

Hi I will test the lab to see if I can replicate the issues. I will get back to you once I have done this; thank you.

Dominyque, PortSwigger Agent | Last updated: Jun 20, 2023 07:02AM UTC

Hi I have tested the labs and confirmed that they work as they should. I did follow this video solution: https://www.youtube.com/watch?v=g6HJcNvTN1I The explanations were excellent and detailed.

Trabeast | Last updated: Oct 24, 2023 03:37PM UTC

no they're not working i been doing this for how many days and still not solving

Trabeast | Last updated: Oct 24, 2023 03:37PM UTC

no they're not working i been doing this for how many days and still not solving

Chim | Last updated: Oct 24, 2023 05:51PM UTC

I am having the same problem as well. It seems like if you are running the test many times, Burpsuite is storing some kind of persistent cookies and caches internally. If you restart Burpsuite and open in a new project, then it may work. My question is how to remove Burpsuite internal Browser cookies, caches, and histories.

Dominyque, PortSwigger Agent | Last updated: Oct 25, 2023 08:20AM UTC

Hi Chim Se Thank you for your question. You can remove/ clear the browser data if you navigate to Settings> Tools> Burp's browser. I have attached a screenshot to show where this setting is: https://snipboard.io/nCSj3L.jpg

Chim | Last updated: Oct 26, 2023 12:14AM UTC

I did tried that option before and it didn't work either. I also found a new bug for version 10.1.2. I have my Browser data saving in ~/Documents/... When I tried to remove the browser's data, it wipe out the whole Document directory. It actually removed the whole directory, not just the files inside it. I lost so many saved documents!

Dominyque, PortSwigger Agent | Last updated: Oct 26, 2023 08:22AM UTC

Hi Chim Se This is not a bug; it is intended functionality. We recommend that you only have browser data in the directory set for it. Pressing 'clear all' will clear everything in that folder.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.