Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

multistep clickjacking

shubham | Last updated: Feb 01, 2022 07:06PM UTC

<style> iframe { position:relative; width: 500px; height: 700px; opacity: 0.0001; z-index: 2; } .firstClick, .secondClick { position:absolute; top:410px; left:60px; z-index: 1; } .secondClick { left:60px; top:510px; } </style> <div class="firstClick">Click me first</div> <div class="secondClick">Click me next</div> <iframe src="https://ac3d1fd71f177443c078af8700590090.web-security-academy.net/my-account"></iframe> i m stuck at this lab tried 10 times , please help

Ben, PortSwigger Agent | Last updated: Feb 02, 2022 08:45AM UTC

Hi Shubham, The exploit that you are entering within the Exploit Server is not meeting the requirements to solve the lab - have you used the 'View exploit' functionality in order to double check that the 'Click me first' element lines up with the 'Delete' button and the 'Click me next' element lines up with the 'Yes' button (used to subsequently confirm that you wish to delete the user account after the 'Delete' button has been pressed)? From the values that you have used, it looks like the 'Click me first' element is lined up with the 'Update email' button and the 'Click me next' element is lined up with the 'Delete' button (which is incorrect). The written solution provides a good guide on how to do this if you are stuck.

Adrian | Last updated: May 22, 2023 12:22PM UTC

Hey, the issue I face with this lab is that it appears to show login page instead of /my-account page. Even if I watched few video online and doing the same the issue is with appearing /login instead of /my-account. In this line: <iframe src="YOUR-LAB-ID.web-security-academy.net/my-account"></iframe> it redirects in "view exploit" to /login, but not my account which is strange.

Ben, PortSwigger Agent | Last updated: May 22, 2023 01:06PM UTC

Hi, Have you logged in prior to creating your exploit?

Adrian | Last updated: May 23, 2023 10:46AM UTC

Hello Ben, Yes, I've been following the steps 1 by 1 multiple times and still encounter this issue. We are working on it with my colleague and he is receiving the same issue on his side. Could you please look into it.

Ben, PortSwigger Agent | Last updated: May 24, 2023 10:07AM UTC

Hi Adrian, As noted in the lab, are you trying this using a Chrome browser to mimic the victim user? If I use the embedded browser, log in to the lab and then configure my attack (making sure to view the exploit to confirm the two click elements line up with the requisite buttons) allows me to successfully deliver the attack and solve the lab.

Mikkel | Last updated: Jul 15, 2024 10:19AM UTC

I am stuck on this one as well Tried multiple times, but whenever i try to view my own exploit i get redirected to login rather than to my signed in session. My understanding of it is that the iframe doesnt receive the session cookie i have, nor does the victims iframe get it either. When i intercepted the requests and manually added the session token to the iframes requests and logged in, then my buttons lines up properly to where they should be for solving the lab, but alas that wont work for the exploit

Ben, PortSwigger Agent | Last updated: Jul 15, 2024 12:45PM UTC

Hi Mikkel, Which browser are you using when you come to try this lab - the embedded browser or a standard version of Chrome?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.