Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Basic clickjacking with CSRF token protection remains unsolved unless adding 'delete-account' to end of url?

Tyla | Last updated: Apr 15, 2024 05:34AM UTC

hello i followed the instructions to the labs as well as the community solutions video but did not get the lab solved. in burp's chromium browser it remains at login page instead of account page with 'delete account' button BUT, along with the exploit body code given in the solution plus using chrome browser instead of burp's chromium browser i find i can only complete this lab by adding "delete-account" to the end of the target url. however this is not listed anywhere in the instructions? is this a bug? this is what i ended up using to solve the lab using chrome browser. : <iframe src="https://0a1100ce0470c99080d70d270075005e.web-security-academy.net/my-account?delete-account"></iframe>

Dominyque, PortSwigger Agent | Last updated: Apr 15, 2024 10:06AM UTC

Hi Tyla Can you please email support@portswigger.net with a screen recording of your attempt at the lab when following the given solution so we can see the behavior you are experincing?

Sebastien | Last updated: Apr 15, 2024 12:21PM UTC

Hello, The issues is cause by a new Feature that came to Chrone in December 2023, blocking cookie that are beeing set trought a iframe. To make the session cookies work trought a iframe, the server issusing the cookie need to set the "partioned" flag on them. That way the session cookie should be available trought the Iframe. More detail on the new cookie feature here : https://developers.google.com/privacy-sandbox/3pcd

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.