Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Forced OAuth Profile Linking

Johnathon | Last updated: Mar 24, 2021 10:13PM UTC

Hi, I've followed all the steps PRECISELY and have watched a couple different videos on how to complete this lab. It doesn't work! I've noticed for the videos I've seen the people that are making them can just click "Login With Social Media" without having to go to "My Account" where as I have to go to "My Account" to find the "Login With Social Media" tab. Could this be an issue?? Is my browser broken or something? I make sure to log out and follow the instruction to the TEE! What's going on? It's such a simple lab but it WILL NOT WORK. Any help is greatly appreciated!

Uthman, PortSwigger Agent | Last updated: Mar 25, 2021 10:20AM UTC

Eli | Last updated: Apr 12, 2021 04:03AM UTC

Hi, I'm curious if this was ever resolved. I am experiencing similar issues as Jonathan on this same lab. When attempting it with the browser included with Burp Suite (Proxy> Intercept> Open Browser), I get the connection in the access log, but there is no code in the log. My lab also shows "My Account" and not "Login With Social Media" on the lab homepage. The logs show the connection when "viewing" the exploit and\or delivering it to the victim but the code is not delivered.

Uthman, PortSwigger Agent | Last updated: Apr 12, 2021 09:12AM UTC

Hi Eli, You should see the 'Login with social media' option if you select 'My account' first. Can you see it there? If not, can you please send a screenshot or screen recording to support@portswigger.net of the steps you are taking?

Eli | Last updated: Apr 12, 2021 02:40PM UTC

Hi Uthman, This is no longer a problem. I was able to successfully complete the lab while recording the session. I did not note any differences in the steps I had previously taken. I had attempted this lab over 3 sessions across 2 days to give myself time to 'come back' to it, hoping I'd spot my presumed error. I will note that while I was having this issue, when using the chromium browser launched by burp, the iframe would not load. When I would use an 'external' Firefox browser (also configured for burp), the iframe would load an error message (pasted below). So at this point, I'm not 100% convinced it wasn't user error (i.e. something I did, or didn't do), but I was able to complete the lab. Displayed iframe error: "https will not allow Firefox to display the page if another site has embedded it..." Thanks for the quick response! I really appreciate these labs! Thank you! -Eli

Uthman, PortSwigger Agent | Last updated: Apr 12, 2021 03:05PM UTC

Hi Eli, Thanks a lot for your detailed feedback! Glad you managed to solve the lab in the end. :)

Jonathan | Last updated: Oct 27, 2023 07:56PM UTC

hey there. I'm having the exact same issue. I've tried: iframe, img tag and straight up 302 redirecting via location header to the URL with the code in it. I can confirm the "victim" reaches the page. When I go to log in via social media profile, it says I successfully log in but it keeps showing wiener instead of admin.

Jonathan | Last updated: Oct 27, 2023 07:57PM UTC

++ I do drop the request before the code gets used.

Ben, PortSwigger Agent | Last updated: Oct 30, 2023 02:02PM UTC

Hi Jonathan, When you come to drop the request you should see a Burp error in the browser - how are you then returning back to the website? If you click the back button in the browser and then carry on with the solution does this then work for you? I have just run through this lab and was able to solve it using the solution provided so it does appear to work as expected so it would be useful to know about the above.

Karal | Last updated: Nov 08, 2023 02:44PM UTC

Hello, I have solved the lab but can anyone explain why it's work with iframe but not with window.location.href?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.