Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Possible unintended behaviour in "SameSite Lax bypass via cookie refresh" lab

Prajyot | Last updated: Jan 16, 2023 06:30AM UTC

Lab: SameSite Lax bypass via cookie refresh: https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh Hi, While solving this lab, I happened to notice that there is no state parameter in the OAuth Initialization request. So I attempted Forced Profile Linking (https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking), which seems to break the lab. Wiener cannot login to his own account anymore, and the solution exploit doesn't work either. I do not know if this is intended behaviour, or if something was implemented incorrectly, which is why I'm reporting it to you. Kindly do let me know about the same.

Prajyot | Last updated: Jan 16, 2023 06:31AM UTC

Also, I apologize if this was the incorrect category to report this in.

Hannah, PortSwigger Agent | Last updated: Jan 16, 2023 01:27PM UTC

Hi. Could you drop us an email at support@portswigger.net with some more information? If you could include screenshots of the exploit or a screen recording of this, that would be helpful.

Prajyot | Last updated: Jan 16, 2023 04:03PM UTC