Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Multistep clickjacking lab not solving

Piyush | Last updated: Apr 28, 2021 07:58PM UTC

Dear Team, wonderfull course but i am stuck here at this lab not able to go ahead , i have aligned all the buttons in chrome and its not working fine, kindly provide suggestions. my code:- --------------------------------------------------- <style> iframe { position:relative; width: 500px; height: 700px; opacity: 0.1; z-index: 2; } .firstClick, .secondClick { position:absolute; top: 495px; left: 50px; z-index: 1; } .secondClick { top: 290px; left: 205px; } </style> <div class="firstClick">Click me first</div> <div class="secondClick">Click me next</div> <iframe src="https://acd21f641ffbb46380f54f5b00b600a1.web-security-academy.net/my-account?id=wiener"></iframe> ------------------------------------------------- Have tried 10 times

Piyush | Last updated: Apr 29, 2021 06:55AM UTC

hi , can somebody update please. Regards, Piyush

Ben, PortSwigger Agent | Last updated: Apr 29, 2021 07:19AM UTC

Hi, You do not need to use the id parameter in your iframe src URL in order to solve the lab successfully - so, instead, would just use something like the following: <iframe src="https://acd21f641ffbb46380f54f5b00b600a1.web-security-academy.net/my-account></iframe>

Piyush | Last updated: Apr 29, 2021 07:28AM UTC

thanks ben appreciate it, got solved :)

kashish | Last updated: Jan 31, 2022 12:31PM UTC

I am facing the same issue and i tried editing the URL the way it was recommended above still no success

Ben, PortSwigger Agent | Last updated: Jan 31, 2022 06:51PM UTC

Hi Kashish, I have just replied to the new forum post that you have created about this but, to reiterate what was said there, you are not correctly lining up your 'click me' elements to take into account that the deletion process is a two stage process. You need to trick the user into clicking the initial 'Delete' button followed by the subsequent 'Yes' button (that only appears after the 'Delete button has been clicked) in order to successfully trick the victim user and solve the lab.

François | Last updated: Oct 26, 2022 04:16PM UTC

Hi guys, I have alse the issue, whereas everything is correctly aligned. I did the test with Firefox and Chrome. Finally I forced the values present in the first post and that solved the challenge, although the buttons were not aligned anymore. --------------------------------------- .firstClick, .secondClick { position:absolute; top: 495px; left: 50px; z-index: 1; } .secondClick { top: 290px; left: 205px; }

Ben, PortSwigger Agent | Last updated: Oct 27, 2022 09:36AM UTC

Hi Francois, From your post, I am not sure if you are still having issues with this but the values suggested in the solution are really to be used as an initial guide - you are likely to need to alter these, whilst utilising the 'View exploit' functionality, in order to make sure the components do line up correctly. For this particular lab, the exploit is slightly more complicated in that it is being delivered on a couple of different pages so you have to ensure the first click lines up with the button on the first page to delete the user account, whilst the second click needs to line up with the confirmation button on the second page. We get a few people who attempt to line up the click elements with both buttons on the first page, which is not correct.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.