Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CORS vulnerability with basic origin reflection - Unable to solve

Varun | Last updated: Feb 24, 2021 11:58AM UTC

Hi Team, I tried the proposed solution but unable to get exploit working to get the API key. It returns Not Found in the logs. Can you confirm if the doc is updated one ?

Uthman, PortSwigger Agent | Last updated: Feb 24, 2021 12:34PM UTC

Hi Varun, The solution appears to work. Are you submitting the correct API key for the solution? You should see a line similar to the below in the Access log once you have selected Deliver exploit to victim: 2021-02-24 12:32:04 +0000 "GET /log?key={%20%20%22username%22:%20%22administrator%22,%20%20%22email%22:%20%22%22,%20%20%22apikeyXXXXX If you are not seeing this, can you try following along with the video solution below? - https://www.youtube.com/watch?v=wTCACuf6ZPU

Giorgio | Last updated: Mar 17, 2021 10:03AM UTC

Hi Uthman, I would like to understand better a thing. Why we do get the administrator's API key when we launch the exploit? Wouldn't we get the administrator's key only if we send the request with a valid session cookie for the administrator? How does the exploit really works with the exploit server? thank you in advance, Giorgio

Uthman, PortSwigger Agent | Last updated: Mar 17, 2021 10:58AM UTC

The 'victim' selects the exploit (which runs the script in the solution). This would be the equivalent of the administrator running the script that takes them to /accountDetails and exposes their API key in the response.

Giorgio | Last updated: Mar 17, 2021 11:17AM UTC

So, in a real-case scenario we have to trick somebody with and admin access to open the page where the exploit is stored?

Uthman, PortSwigger Agent | Last updated: Mar 17, 2021 11:23AM UTC

That is correct! The exploit server in our lab would need to be created by you so that you can host the exploit somewhere.

Steven | Last updated: Sep 16, 2022 08:53PM UTC

Hi Burp Suite, I tried going through the "CORS vulnerability with basic origin reflection". In following both the instructions referenced in the solutions, the Community solutions as well as the one you referenced above I continue to receive the following error within the log area. Log message: 2022-09-16 20:47:13 +0000 "GET /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22 HTTP/1.1" 200 "User-Agent: Mozilla/5.0 ...

Ben, PortSwigger Agent | Last updated: Sep 19, 2022 08:37AM UTC

Hi Steven, Are you able to provide us with some screenshots of the exact steps that you are taking in order to solve this lab so that we can see what you are doing? If it is easier to provide these via email then please feel free to send us an email to support@portswigger.net.

Spidey271 | Last updated: Oct 21, 2022 03:41PM UTC

Hi, Even I am getting the same error message in the logs as Steven. I used the same script as provided in the Solution section, replacing with my Lab id. This is the screenshot of log file: https://imgur.com/a/idLDSeM

Ben, PortSwigger Agent | Last updated: Oct 24, 2022 08:39AM UTC

Hi, To confirm, you have logged into your account before delivering the exploit? Are we able to see a screenshot of how you have configured the script that you are using in the Exploit Server and the URL of your lab just so that we can rule out anything simple? I am able to solve the lab using the solution provided so it would be useful to see exactly what you are doing when you attempt to solve this.

Alaude | Last updated: Oct 26, 2022 10:16AM UTC

Hello there, I had the exact same problem, i was going crazy at the end. Finally, I guess I found the problem, add https protocol to your url in the exploit : req.open('get','https://[lab-url]/accountDetails',true); Tell us if it works for you !

Joe | Last updated: Jun 17, 2023 05:15PM UTC

Nope

Cia | Last updated: Oct 19, 2023 04:00PM UTC