Burp Suite User Forum

Create new post

ClickJacking labs remain as not solved

Antonio | Last updated: Feb 01, 2022 12:08AM UTC

Hi PortSwigger Team, Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just started doing labs and I followed the steps outlined in the solution, but the labs remain as unsolved. Please help me. Thanks and best regards.

Michelle, PortSwigger Agent | Last updated: Feb 01, 2022 02:26PM UTC

Thanks for your message. We don't have any issues currently reported for these labs and have been able to solve them. When you clicked 'Store' and then used 'View Exploit' for the lab 'Basic clickjacking with CSRF token protection' did the elements line up correctly? If you'd like to share some details and screenshots of the steps you took, feel free to email them over to support@portswigger.net.

Baka | Last updated: Jul 10, 2023 09:32AM UTC

Ya everything done correctly, I even deleted my account for 20 minutes from clickjacked website for checking if my code is working or not, But still it is not getting solved.

Michelle, PortSwigger Agent | Last updated: Jul 10, 2023 12:06PM UTC

Hi Can you confirm which lab you're working on, please? We've just tested out the lab 'Basic clickjacking with CSRF token protection' and were able to solve it. If you can also share some details on the steps you're taking, we can take a closer look.

Baka | Last updated: Jul 11, 2023 05:31AM UTC

It's the same lab you solved. I am doing same as the solution told, even my account got deleted for 20 min when I checked my exploit. As you told you have solved it, Let me try again and get back to you. Thank you

Yousef | Last updated: Jul 24, 2023 09:42AM UTC

I have the same problem in this lab too

Michelle, PortSwigger Agent | Last updated: Jul 24, 2023 10:40AM UTC

Hi Can you confirm the steps you are taking to complete the lab? If you follow along with the Community Solution video, does that help?

Yousef | Last updated: Jul 24, 2023 01:28PM UTC

I followed the same steps as in the video and unfortunately it didn't work. until now I have solved 3 clickjacking labs=> 1.Lab: Basic clickjacking with CSRF token protection I solved it correctly and it does not appear to be resolved. 2.Lab: Clickjacking with form input data prefilled from a URL parameter I solved it and it already shows that it has been resolved. 3.Lab: Clickjacking with a frame buster script I solved it correctly and it does not appear to be resolved.

Michelle, PortSwigger Agent | Last updated: Jul 24, 2023 01:47PM UTC

Hi Can you send a screen recording of the steps you are taking to solve the lab 'Basic clickjacking with CSRF token protection' to support@portswigger.net so we can take a closer look? When you solved the lab, what behavior did you see, were you testing out the attack on yourself and did you then click on 'Deliver to victim'?

Yousef | Last updated: Jul 24, 2023 02:43PM UTC

I sent a screen record Thanks for your effort, I hope I'm not bothering you

Michelle, PortSwigger Agent | Last updated: Jul 25, 2023 07:25AM UTC

Thanks for your emails. It's good to hear you've been able to solve the 'Basic clickjacking with CSRF token protection' lab :)

Liam | Last updated: Sep 15, 2023 10:03AM UTC

Same problem for me even though everything aligns perfectly. Labs remains as not solved.

Dominyque, PortSwigger Agent | Last updated: Sep 15, 2023 10:08AM UTC

Hi Liam Can you please send a screen recording as well to support@portswigger.net so we can see all the steps being taken?

Nipun | Last updated: Oct 29, 2023 06:30PM UTC

I am facing the same problem, I did proper alignment but still the lab is not getting solved.

Ben, PortSwigger Agent | Last updated: Oct 30, 2023 08:47AM UTC

Hi Nipun, Are you able to provide some details of which lab you are trying to solve, the details of the exploit that you are using and a screenshot of what this looks like when you perform the 'View exploit' functionality within the lab itself? We will then have a better idea of exactly how you are trying to solve the lab and be able to assist you further.

Mac | Last updated: Mar 16, 2024 08:56AM UTC

Same problem for me even though everything aligns perfectly. Labs remains as not solved.

Ben, PortSwigger Agent | Last updated: Mar 18, 2024 08:37AM UTC

Hi Mac, If you can let us know which lab you are attempting and the details of what your exploit is and what it looks like on the screen then that would be great. If it is easier to do this via email then please feel free to email us at support@portswigger.net.

Mac | Last updated: Mar 18, 2024 02:26PM UTC

Basic clickjacking with CSRF token protection

Mac | Last updated: Mar 18, 2024 02:28PM UTC

Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just started doing labs and I followed the steps outlined in the solution, but the labs remain as unsolved. Please help me. Thanks and best regards.

Ben, PortSwigger Agent | Last updated: Mar 19, 2024 09:15AM UTC

Hi Mac, What are you seeing when you use the 'View exploit' functionality within the exploit server for either of these two labs?

Esther | Last updated: May 20, 2024 08:16AM UTC

Hi Portswigger team, I'm facing the same problem with the lab "Basic clickjacking with CSRF token protection". Except in Firefox, in every other browser (even the Burps' one), it loads the login page when you view the exploit (and it's not possible to continue). In Firefox, it also does so, but I'm able to login again inside the iframe and so, adjust the test over the "Delete account" botton. But when I deliver the exploit, it doesn't work. However, there is no problem with the second lab "Clickjacking with form input data prefilled from a URL parameter" which is very similar, but it was delivered just ok and resolved. Could you help me with this issue? Thank you.

Esther | Last updated: May 20, 2024 08:20AM UTC

(Sorry, in the outside Chrome it also works the "View exploit". The "Deliver" doesn't work either)

Ben, PortSwigger Agent | Last updated: May 20, 2024 08:44AM UTC

Hi Esther, There are currently some issues using the embedded browser with these particular labs. A normal version of Chrome should, however, still work. Are you able to provide us with details of the exploit that you are trying to use for this particular lab? I assume when you do use the 'View exploit' functionality the 'Click me' div element lines up with the button?

Esther | Last updated: May 21, 2024 07:30AM UTC

Hi, Yes, I've tried with a normal version of Chrome and I'm able to line up the 'Click me' div element with the 'Delete account' button. The problem is that when I deliver the exploit, it doesn't work. As I said, I don't have this problem with the next two labs (very similars in exploit functionality). Here is the exploit that I've tried again just now: <style> iframe { position:relative; width: 700; height: 600; opacity: 0.0001; z-index: 2; } div { position:absolute; top:496; left:60; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0a4700930472776585809e6800fc0023.web-security-academy.net/my-account?id=wiener"></iframe>

Ben, PortSwigger Agent | Last updated: May 21, 2024 08:10AM UTC

Hi Esther, You should not need to use the id parameter in the iframe - what happens if you remove this and then deliver the exploit to the victim (whilst using a normal version of Chrome)?

Esther | Last updated: May 21, 2024 08:26AM UTC

Hi, I put it the id parameter just trying, because it didn't work. Now, I have tried just again without it, and now it does work. Thank you, it's resolved.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.