Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Portswigger labs:Exploiting cross-site scripting to capture passwords- given payloads creates blank form fields

Anuj | Last updated: Aug 28, 2020 10:23AM UTC

I am solving the "Exploiting cross-site scripting to capture passwords" lab, I was able to solve it the first time around and the payload given in the solution worked. However, when I am trying it now, the payload just creates 2 blank form fields and I am unable to obtain the credentials. Any solutions?

Uthman, PortSwigger Agent | Last updated: Aug 28, 2020 10:54AM UTC

Can you wait 15 minutes for the lab to reset and try again? Does the issue persist? The tests for the lab appear to be passing and I just solved it without an issue.

Name | Last updated: Jun 29, 2022 12:27PM UTC

How can i solve this challenge without Burp Collaborator

Ben, PortSwigger Agent | Last updated: Jun 30, 2022 06:42AM UTC

Hi, As the solution suggests, you would need to modify the approach proposed in the solution to the following lab: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf The idea being that you make the victim post their credentials within a blog comment by adapting the above solution.

pira_te | Last updated: Oct 06, 2022 12:52PM UTC

I there, I adapted the https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf and successfully added a blog-entry-comment which would then post the given credentials. Now someone or something has to enter his/her/its credentials... when is this happening? Or am I missing something here? thanks in advance T.

Ben, PortSwigger Agent | Last updated: Oct 06, 2022 04:23PM UTC

Hi Ted, Just to confirm - the lab that you have referenced involves performing a CSRF attack to change the email address of a 'victim' user that views a blog post rather than obtaining a password. Are you looking at the correct lab (the lab originally mentioned in this forum thread is entitled 'Exploiting cross-site scripting to capture passwords' here - https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-capturing-passwords)?

c4rb0n | Last updated: Jun 02, 2023 09:02AM UTC

Hello, I'm trying to solve this lab without user interaction - I consider that it's really overstretched case when logged-in user will see some shady login form in the middle of comment section and will put their credentials there. Other users or admin could easily notice this vector and kill all the fun. So, I'm putting a script in a comment that makes a request to "/my-account" endpoint to get the name of user. I expected to see at least "Your username is:" (I saw how this page looks like in a video). I know that I can't take password with this approach, but I wanted to try "secret" value from cookie. So, is my complain viable or I want too much from a simple-purpose lab? Thank you!

Ben, PortSwigger Agent | Last updated: Jun 02, 2023 09:34AM UTC

Hi, Each lab is really designed to demonstrate a particular approach/vulnerability for users to follow and understand. Beyond that, there may be scope to do other things in a given lab but we cannot really support users who are looking to do this.

Matteo | Last updated: Dec 08, 2023 12:50AM UTC

Hi, I've the same problem... My payload sends to my collaborator empty/blank form credentials... When I try the official solution, it doesn't work because I don't receive any request on collaborator... It seems that the onchange event isn't triggered on password... I don't understand why... Anyone can help me or test if the challenge is still working? Thanks

Ben, PortSwigger Agent | Last updated: Dec 08, 2023 09:21AM UTC

Hi Matteo, Just to clarify, are you trying to solve the 'Exploiting cross-site scripting to capture passwords' lab (as per the original forum post creator) or are you trying to solve a different lab?

Matteo | Last updated: Dec 08, 2023 11:49AM UTC

I've solved finally it... I've restarted 4 times the lab and the last one, using always the same exploit, it finally works... I don't know why... Thanks however

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.