Burp Suite User Forum

Create new post

Some of the CORS labs don't work anymore on firefox and chrome

Adam | Last updated: Apr 23, 2024 11:47AM UTC

Some of the CORS labs don't work anymore since a new update on firefox and chrome due to new security put into place on third party cookies called 'Partitioned' attribute. While it is still possible to solve the lab by delivering the exploit to the victim, it's not possible to test the exploit locally before sending it to the victim. This was not an issue a few months ago. More importantly, in the real world (outside of the portswigger labs) the cors exploits won't work anymore even if it contains access control allow credentials and reflects the access control allow origin in the response. The error message in chrome and firefox says: 'Cookie will soon be rejected because it is foreign and does not have the “Partitioned“ attribute.' The cors exploit only works when i manually go into browser and change the cookie settings of: Exceptions cookies and site data" and allow the specific website to use third party cookies. When I tried in the Edge browser the exploit still worked. But the message in Edge makes it seems like that also is just a matter of time until they implement this. Are you planning on updating the labs to reflect this change?

Ben, PortSwigger Agent | Last updated: Apr 24, 2024 06:51AM UTC

HI Adam, Let me double check this with the team and get back to you. We will respond in due course.

Ben, PortSwigger Agent | Last updated: Apr 25, 2024 09:52AM UTC

Hi Adam, Out of interest, which version of Chrome are you using when you see errors solving these particular labs?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.