Burp Suite User Forum

Login to post

Lab: CORS vulnerability with internal network pivot attack - step 1 not working

| Last updated: Nov 26, 2019 04:01AM UTC

Hi there, While attempting to follow the instructions for step 1 it does not appear that after "store" the exploit and then "deliver exploit to victim" that the victim is actually visiting the exploit link. There is nothing in the access log to indicate that the exploit server has been visited by the victim. I would have expected to see something like 192.168.x.x .... GET /exploit in the access logs which would naturally trigger whatever javascript is in the exploit. I even went as far as just delivering the "Hello World!" to the victim, and nothing appears in the logs. Unless your code only triggers the victim on certain conditions? However, I would have thought the solution would work. Cheers!

Ben, PortSwigger Agent | Last updated: Nov 26, 2019 08:34AM UTC

Hi, I have just taken a look at this lab and was able to complete Step 1, with the corresponding GET request being shown in the access logs, so it is working correctly. What code are you entering into the exploit server for this step?

Burp User | Last updated: Nov 26, 2019 09:20AM UTC

Problem solved. Found the reason why the initial script wasn't working. Corrected that and proceeded to solve remaining steps. HINT: Go back through other labs to find a solution.

Ben, PortSwigger Agent | Last updated: Nov 26, 2019 10:04AM UTC

Hi Andrew, Glad to hear that you were able to successfully solve this lab.

You need to Log in to post a reply. Or register here, for free.