Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Bug in lab Basic clickjacking with CSRF token protection?

Nadia | Last updated: Oct 22, 2022 09:58PM UTC

Hello, I have issues with the "Basic clickjacking with CSRF token protection" lab. Everything is correct on my part (or so I believe). I have tried with the burp browser and chrome, but neither of them displays I solved the lab. I uploaded a video to show its behavior. https://youtu.be/tPwdGvrMp0A Thanks!

Ben, PortSwigger Agent | Last updated: Oct 25, 2022 07:20AM UTC

Hi Nadia, Thank you for the video. That is interesting - I cannot see anything obviously wrong with the approach that you have taken. In addition, if I run through the lab, using the embedded browser, I can successfully solve it using a very similar solution to yours. Out of interest, do you still see this issue if you attempt the lab again today (I just want to rule out any strange transient quirks that might have been afflicting you)?

Carolina | Last updated: May 25, 2023 01:15PM UTC

Same issue despite using different machines and networks. It cannot be solved.

Ben, PortSwigger Agent | Last updated: May 25, 2023 04:45PM UTC

Hi Carolina, Again, I have just run through this lab and been able to solve it without issue so it does appear to be working. A few things to check from your side: - Are you using the Chrome browser to mimic the victim user (using the embedded browser will suffice)? - Are you logging in to your user account prior to configuring the exploit? - Are you using the 'View exploit' functionality to visually check that the elements that you have configured actually line up with the requisite buttons on the underlying page (the suggested values might not be exactly correct in your setup so there may be some trial and error involved)?

You need to Log in to post a reply. Or register here, for free.