Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

ClickJacking labs remain as not solved

Antonio | Last updated: Feb 01, 2022 12:08AM UTC

Hi PortSwigger Team, Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just started doing labs and I followed the steps outlined in the solution, but the labs remain as unsolved. Please help me. Thanks and best regards.

Michelle, PortSwigger Agent | Last updated: Feb 01, 2022 02:26PM UTC

Thanks for your message. We don't have any issues currently reported for these labs and have been able to solve them. When you clicked 'Store' and then used 'View Exploit' for the lab 'Basic clickjacking with CSRF token protection' did the elements line up correctly? If you'd like to share some details and screenshots of the steps you took, feel free to email them over to support@portswigger.net.

Baka | Last updated: Jul 10, 2023 09:32AM UTC

Ya everything done correctly, I even deleted my account for 20 minutes from clickjacked website for checking if my code is working or not, But still it is not getting solved.

Michelle, PortSwigger Agent | Last updated: Jul 10, 2023 12:06PM UTC

Hi Can you confirm which lab you're working on, please? We've just tested out the lab 'Basic clickjacking with CSRF token protection' and were able to solve it. If you can also share some details on the steps you're taking, we can take a closer look.

Baka | Last updated: Jul 11, 2023 05:31AM UTC

It's the same lab you solved. I am doing same as the solution told, even my account got deleted for 20 min when I checked my exploit. As you told you have solved it, Let me try again and get back to you. Thank you

Yousef | Last updated: Jul 24, 2023 09:42AM UTC

I have the same problem in this lab too

Michelle, PortSwigger Agent | Last updated: Jul 24, 2023 10:40AM UTC

Hi Can you confirm the steps you are taking to complete the lab? If you follow along with the Community Solution video, does that help?

Yousef | Last updated: Jul 24, 2023 01:28PM UTC

I followed the same steps as in the video and unfortunately it didn't work. until now I have solved 3 clickjacking labs=> 1.Lab: Basic clickjacking with CSRF token protection I solved it correctly and it does not appear to be resolved. 2.Lab: Clickjacking with form input data prefilled from a URL parameter I solved it and it already shows that it has been resolved. 3.Lab: Clickjacking with a frame buster script I solved it correctly and it does not appear to be resolved.

Michelle, PortSwigger Agent | Last updated: Jul 24, 2023 01:47PM UTC

Hi Can you send a screen recording of the steps you are taking to solve the lab 'Basic clickjacking with CSRF token protection' to support@portswigger.net so we can take a closer look? When you solved the lab, what behavior did you see, were you testing out the attack on yourself and did you then click on 'Deliver to victim'?

Yousef | Last updated: Jul 24, 2023 02:43PM UTC

I sent a screen record Thanks for your effort, I hope I'm not bothering you

Michelle, PortSwigger Agent | Last updated: Jul 25, 2023 07:25AM UTC

Thanks for your emails. It's good to hear you've been able to solve the 'Basic clickjacking with CSRF token protection' lab :)

Liam | Last updated: Sep 15, 2023 10:03AM UTC

Same problem for me even though everything aligns perfectly. Labs remains as not solved.

Dominyque, PortSwigger Agent | Last updated: Sep 15, 2023 10:08AM UTC

Hi Liam Can you please send a screen recording as well to support@portswigger.net so we can see all the steps being taken?

Nipun | Last updated: Oct 29, 2023 06:30PM UTC

I am facing the same problem, I did proper alignment but still the lab is not getting solved.

Ben, PortSwigger Agent | Last updated: Oct 30, 2023 08:47AM UTC

Hi Nipun, Are you able to provide some details of which lab you are trying to solve, the details of the exploit that you are using and a screenshot of what this looks like when you perform the 'View exploit' functionality within the lab itself? We will then have a better idea of exactly how you are trying to solve the lab and be able to assist you further.

Mac | Last updated: Mar 16, 2024 08:56AM UTC

Same problem for me even though everything aligns perfectly. Labs remains as not solved.

Ben, PortSwigger Agent | Last updated: Mar 18, 2024 08:37AM UTC

Hi Mac, If you can let us know which lab you are attempting and the details of what your exploit is and what it looks like on the screen then that would be great. If it is easier to do this via email then please feel free to email us at support@portswigger.net.

Mac | Last updated: Mar 18, 2024 02:26PM UTC

Basic clickjacking with CSRF token protection

Mac | Last updated: Mar 18, 2024 02:28PM UTC

Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just started doing labs and I followed the steps outlined in the solution, but the labs remain as unsolved. Please help me. Thanks and best regards.

Ben, PortSwigger Agent | Last updated: Mar 19, 2024 09:15AM UTC

Hi Mac, What are you seeing when you use the 'View exploit' functionality within the exploit server for either of these two labs?

Esther | Last updated: May 20, 2024 08:16AM UTC

Hi Portswigger team, I'm facing the same problem with the lab "Basic clickjacking with CSRF token protection". Except in Firefox, in every other browser (even the Burps' one), it loads the login page when you view the exploit (and it's not possible to continue). In Firefox, it also does so, but I'm able to login again inside the iframe and so, adjust the test over the "Delete account" botton. But when I deliver the exploit, it doesn't work. However, there is no problem with the second lab "Clickjacking with form input data prefilled from a URL parameter" which is very similar, but it was delivered just ok and resolved. Could you help me with this issue? Thank you.

Esther | Last updated: May 20, 2024 08:20AM UTC

(Sorry, in the outside Chrome it also works the "View exploit". The "Deliver" doesn't work either)

Ben, PortSwigger Agent | Last updated: May 20, 2024 08:44AM UTC

Hi Esther, There are currently some issues using the embedded browser with these particular labs. A normal version of Chrome should, however, still work. Are you able to provide us with details of the exploit that you are trying to use for this particular lab? I assume when you do use the 'View exploit' functionality the 'Click me' div element lines up with the button?

Esther | Last updated: May 21, 2024 07:30AM UTC

Hi, Yes, I've tried with a normal version of Chrome and I'm able to line up the 'Click me' div element with the 'Delete account' button. The problem is that when I deliver the exploit, it doesn't work. As I said, I don't have this problem with the next two labs (very similars in exploit functionality). Here is the exploit that I've tried again just now: <style> iframe { position:relative; width: 700; height: 600; opacity: 0.0001; z-index: 2; } div { position:absolute; top:496; left:60; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0a4700930472776585809e6800fc0023.web-security-academy.net/my-account?id=wiener"></iframe>

Ben, PortSwigger Agent | Last updated: May 21, 2024 08:10AM UTC

Hi Esther, You should not need to use the id parameter in the iframe - what happens if you remove this and then deliver the exploit to the victim (whilst using a normal version of Chrome)?

Esther | Last updated: May 21, 2024 08:26AM UTC

Hi, I put it the id parameter just trying, because it didn't work. Now, I have tried just again without it, and now it does work. Thank you, it's resolved.

Bora | Last updated: Jul 11, 2024 01:44PM UTC

first 3 Clickjacking labs have a problem. Even tough my payload is correct and works on view exploit doesn't solve the lab when I deliver it to victim.

Ben, PortSwigger Agent | Last updated: Jul 12, 2024 09:27AM UTC

Hi Bora, I just replied to your other forum post about this - to confirm, it would be useful to get a screenshot of what you see when you perform the view exploit step with your exploit. If you could supply this either as a link in a forum post (you cannot directly attach files to forum posts) or you can email us directly at support@portswigger.net and we can take a look from there.

Pankaj | Last updated: Jul 18, 2024 06:34PM UTC

The problem which I'm facing in clickjacking lab 1 is that when i put my lab id or the url of my lab in iframe. But when i am trying to view the exploit.Im getting a login page instead of already logged in page. <iframe src="https://my lab id.web-security-academy.net/my-account"> As the solution and video both suggest there will be no parameters. I'm getting the log in page in the iframe over and over again. I tried to check it with the parameter as well but it didn't made any difference.

Ben, PortSwigger Agent | Last updated: Jul 19, 2024 07:39AM UTC

Hi Pankaj, Which browser are you using when you attempt the Clickjacking labs? If you use a standard version of Chrome (not the embedded browser) does this allow you to solve these labs?

Pankaj | Last updated: Jul 19, 2024 09:05AM UTC

I tried it on chromium(burp browser) and on Firefox. Both of them showing me the same. But i have not tried it on the normal/standard chrome yet.

Pankaj | Last updated: Jul 19, 2024 10:06AM UTC

Yes the standard chrome ia working fine. Thanks for the guidance.

Ben, PortSwigger Agent | Last updated: Jul 19, 2024 10:20AM UTC

Hi Pankaj, If you could give this a go using a standard version of Chrome and let us know how you get on then that would be very useful.

Renato | Last updated: Aug 17, 2024 12:33AM UTC

I have the same problem in both labs. Can you help me? <!--Lab: Basic clickjacking with CSRF token protection--> <style> iframe{ position:relative; width:100%; height:100%; opacity:0.00001; z-index:2; } div{ position:absolute; width:300px; height:400px; z-index:1; top: 490px; left: 425px; } </style> <body> <div>Click me</div> <iframe src="https://0a4500e703b68f76828b290700330019.web-security-academy.net/my-account"></iframe> </body> <!--Lab: Clickjacking with form input data prefilled from a URL parameter--> <style> iframe{ position:relative; width:100%; height:100%; opacity:0.00001; z-index:2; } div{ position:absolute; width:300px; height:400px; z-index:1; top: 490px; left: 425px; } </style> <body> <div>Click me</div> <iframe src="https://0a4500e703b68f76828b290700330019.web-security-academy.net/my-account?email=totto@normal-user.net"></iframe> </body>

Renato | Last updated: Aug 17, 2024 12:57AM UTC

I managed to solve the labs. Thank you

Alexandru | Last updated: Aug 23, 2024 10:25AM UTC

Hello. Why doesn't this work? <head> <style> #target_website { position: relative; width: 300px; height: 600px; opacity: 0.001; z-index: 2; } #decoy_website { position: absolute; width: 300px; height: 400px; z-index: 1; top: 492px; left: 40px; } </style> </head> <body> <div id="decoy_website"> <button style="font-size: 18px; padding: 1px 80px;">Click me</button> </div> <iframe id="target_website" src="https://0ad100310354da5d81d39eb200a400da.web-security-academy.net/my-account"></iframe> </body>

Ben, PortSwigger Agent | Last updated: Aug 23, 2024 12:17PM UTC

Hi, Which lab are you trying to solve?

Alexandru | Last updated: Aug 27, 2024 07:51AM UTC

Hello, I am trying to solve "Lab: Basic clickjacking with CSRF token protection". The button align perfectly over the iframe button but the lab wont solve. What did i do wrong, i cant tell.

Ben, PortSwigger Agent | Last updated: Aug 27, 2024 08:43AM UTC

Hi Alexandru, Are you able to share details of what your exploit looks like?

Alexandru | Last updated: Aug 27, 2024 09:06AM UTC

Sure, this is exactly my exploit HTML page: <head> <style> #target_website { position: relative; width: 300px; height: 600px; opacity: 0.001; z-index: 2; } #decoy_website { position: absolute; width: 300px; height: 400px; z-index: 1; top: 492px; left: 40px; } </style> </head> <body> <div id="decoy_website"> <button style="font-size: 18px; padding: 1px 80px;">Click me</button> </div> <iframe id="target_website" src="https://0ad100310354da5d81d39eb200a400da.web-security-academy.net/my-account"></iframe> </body>

Ben, PortSwigger Agent | Last updated: Aug 27, 2024 10:02AM UTC

Hi Alexandru, Which browser are you using to solve the lab? If you are using the embedded browser, can you confirm what version of Burp you are using?

Alexandru | Last updated: Aug 27, 2024 01:48PM UTC