Burp Suite User Forum

Login to post

Having issue signing into the "Basic Clickjacking with CSRF token protection" lab

Phil | Last updated: Jan 06, 2020 09:17PM UTC

I'm unable to even start the lab (https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected). The provided credentials, carlos/montoya, do not work for me. Any ideas?

Ben, PortSwigger Agent | Last updated: Jan 07, 2020 09:00AM UTC

Hi, I have just checked this lab and the credentials are working fine for me. Have you accidentally deleted the carlos/montoya by mistake during the course of the lab?

Burp User | Last updated: Jan 07, 2020 02:52PM UTC

That was precisely it. I must have unknowingly clicked on Delete at some point. I'm now able to sign in but once I store the HTML and "View exploit", the Test Me button is not loading properly. Here is what I'm getting, https://imgur.com/a/7dUgtRs. Any assistance would be awesome.

Hannah, PortSwigger Agent | Last updated: Jan 07, 2020 02:52PM UTC

What values are you using for width and height? Have you tried adjusting the width, height, top and left values?

Burp User | Last updated: Jan 07, 2020 03:09PM UTC

This is what I have as far as the params. <style> iframe { position:relative; width:$ 500px; height: $ 700px; opacity: $opacity; z-index: 0.0001; } div { position:absolute; top:$ 320px; left:$ 60px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://ac061faa1f6cc0c280ac415e00f80099.web-security-academy.net/account"></iframe>

Hannah, PortSwigger Agent | Last updated: Jan 07, 2020 03:11PM UTC

To start with, you will need to remove all the dollar signs that are present in your code. Your first z-index will need to be changed back to 2. You will need to change $opacity to an actual value. The suggested initial value is 0.1. Additionally, the victim will be using Chrome, so if you aren't already, you should be testing using that browser. Please let me know if these steps do not resolve your issue.

Burp User | Last updated: Jan 07, 2020 03:33PM UTC

Tyvm Hannah, Idk how the HTML code was so butchered lol. Appreciate the help!

Hannah, PortSwigger Agent | Last updated: Jan 07, 2020 04:03PM UTC

No problem. Enjoy the rest of the labs!

Matthieu | Last updated: Apr 14, 2020 07:20PM UTC

I am using the following values and when I look at the preview in chrome the text in covering the delete button but it does not validate the challenge for some reasons <style> iframe { position:relative; width:700px; height: 500px; opacity: 0.0001; z-index: 2; } div { position:absolute; top:355px; left:60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://accf1f211eb1ae9380fa2e0300f20051.web-security-academy.net/account"></iframe>

Hannah, PortSwigger Agent | Last updated: Apr 15, 2020 07:16AM UTC

Hi Matthieu Have you tried changing "Test me" to "Click me"?

Ahmet | Last updated: Apr 16, 2020 04:04AM UTC

Hi, I accidentally deleted the user Carlos and can not login now, can you help

Hannah, PortSwigger Agent | Last updated: Apr 16, 2020 07:03AM UTC

Hi Ahmet If you wait about 15 minutes, the lab will expire and reset.

You need to Log in to post a reply. Or register here, for free.