Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Forced OAuth profile linking

Kelsey | Last updated: Mar 09, 2023 09:35PM UTC

The official solution includes instructions to create an iframe in the exploit server in which the src attribute points to the /oauth-linking... URL. However, the /oauth-linking response includes an X-Frame-Options: SAMEORIGIN header. How is this iframe expected to display?

Michelle, PortSwigger Agent | Last updated: Mar 10, 2023 02:10PM UTC

I’m afraid we can’t provide dedicated mentoring for individual labs. Were you able to solve the lab using the provided solution or by following along with the community solution?

Kelsey | Last updated: Mar 10, 2023 09:57PM UTC

I completely understand, and perhaps I wasn't clear with my description. I am unable to solve the lab following either the provided solution or the community solution. While attempting to debug my issue, I came across the X-Frame-Options header issue I described in the original post, thinking this was preventing the simulated victim from opening the delivered exploit. I feel like this is a bug with this particular lab, so maybe this should be in the Bug Report category instead?

Michelle, PortSwigger Agent | Last updated: Mar 13, 2023 02:00PM UTC

Thanks for the update. We've run through the lab here, and we were able to solve it by following the steps in the solution. You do need to be quite careful around steps 7-10 to make sure the code remains valid, though.

Andrew | Last updated: Apr 17, 2023 11:28AM UTC

Hi Michelle. I have same problem like Kelsey. The code in /oauth-linking is alive, and we can do request to url https://lab//oauth-linking?code=value. But we can't use <iframe> as solution, because we have response with X-Frame-Options:sameorigin header.

Andrew | Last updated: Apr 17, 2023 11:50AM UTC

The lab is solved, but we must use any javascript payload. I think, you must correct text text in Solution.

Michelle, PortSwigger Agent | Last updated: Apr 17, 2023 01:30PM UTC

Hi Thanks for your message. Can you email support@portswigger.net with the steps you took to solve the lab and a screen recording of which parts of the solution caused you a problem so we can review the current steps?

Huot | Last updated: Feb 27, 2024 04:44AM UTC

Hi Michelle and PortSwigger Agent, now I have the same issues like Michelle said. I got the same response with X-Frame-Options:sameorigin header. The solution which you have provided and community solution does not work on this. Any solution for or any javascript that I can use instead of iframe?

Michelle, PortSwigger Agent | Last updated: Feb 27, 2024 01:39PM UTC

Hi I have just tested the steps described in the solution for the lab 'Forced OAuth profile linking' and was able to use them to solve the lab. Is this the same lab you are working on? When you delivered the exploit to the victim, did it contain a stolen code that had not been used before? If you tested the exploit on yourself, did you then steal another code to use on the victim?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.