Burp Suite User Forum

Login to post

Exploit Server

Miguel | Last updated: Oct 31, 2020 09:36PM UTC

good day. how can I set up a test exploit server or if there is any option online that can be used to test the http atacks part. Cheers...

Ben, PortSwigger Agent | Last updated: Nov 02, 2020 08:12AM UTC

Hi, Are you referring to the Exploit Server that is used in some of Web Academy labs?

Miguel | Last updated: Nov 02, 2020 10:01PM UTC

hello, yes. I used it in the host header atack labs where they provide us with an exploit server to capture cookies.

Ben, PortSwigger Agent | Last updated: Nov 03, 2020 08:53AM UTC

Hi, The Exploit Server is just something that we use in our Web Academy in order to make delivering exploits easier for the user. Some of the topics covered, for example, would require you to host exploits for victim users to access - we simulate this with the Exploit Server and dummy victim users.

David | Last updated: Dec 31, 2020 07:24PM UTC

Miguel - I realize you may have found that reply unhelpful, as did I. I searched for 30 minutes on HOW to access the exploit server. Finally saw it as a button at the top of the page when you are in 'activate lab'. hope this helps

mrloup98 | Last updated: Mar 02, 2021 10:08PM UTC

i cannot find it.can you help me please?

Ben, PortSwigger Agent | Last updated: Mar 03, 2021 08:16AM UTC

Hi, If the lab you are trying to solve involves the use of the Exploit Server then there will be an orange button at the top of the page to access the server once you have launched the lab.

arya | Last updated: Apr 10, 2021 10:51AM UTC

Hello PortSwigger, is it possible to draw a diagram on how the exploit server interact with client on labs such XSS https://portswigger.net/web-security/images/cross-site-scripting.svg?? thanks for the nice labs and materials. Mohammad

Michelle, PortSwigger Agent | Last updated: Apr 13, 2021 10:20AM UTC

There isn't anything special about the exploit server in this case and it's not specific to XSS. The browser just fetches the referenced script file like it would any other referenced resources e.g. images etc. The only difference is that the attacker has been able to point the reference to an external domain (like the exploit server) to trick the browser into loading a malicious resource rather than a legitimate/expected one. We're planning on producing some more content about web fundamentals like this in the future.

Miguel | Last updated: Jun 11, 2021 01:42AM UTC

Thanks averyone for the responses. Regards!!

Mayank | Last updated: Oct 12, 2021 05:48PM UTC

Hey, Can I use Exploit Server in real-world Bug Bounty Program to verify or Prove the finding (e.g:CSRF) Thanks

Michelle, PortSwigger Agent | Last updated: Oct 13, 2021 08:29AM UTC

The exploit server included with the labs is specifically for the Web Security Academy. If you wanted to use an exploit server in the real world you can setup your own server to host the exploits.

You need to Log in to post a reply. Or register here, for free.