Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Some of the CORS labs don't work anymore on firefox and chrome

Adam | Last updated: Apr 23, 2024 11:47AM UTC

Some of the CORS labs don't work anymore since a new update on firefox and chrome due to new security put into place on third party cookies called 'Partitioned' attribute. While it is still possible to solve the lab by delivering the exploit to the victim, it's not possible to test the exploit locally before sending it to the victim. This was not an issue a few months ago. More importantly, in the real world (outside of the portswigger labs) the cors exploits won't work anymore even if it contains access control allow credentials and reflects the access control allow origin in the response. The error message in chrome and firefox says: 'Cookie will soon be rejected because it is foreign and does not have the “Partitioned“ attribute.' The cors exploit only works when i manually go into browser and change the cookie settings of: Exceptions cookies and site data" and allow the specific website to use third party cookies. When I tried in the Edge browser the exploit still worked. But the message in Edge makes it seems like that also is just a matter of time until they implement this. Are you planning on updating the labs to reflect this change?

Ben, PortSwigger Agent | Last updated: Apr 24, 2024 06:51AM UTC

HI Adam, Let me double check this with the team and get back to you. We will respond in due course.

Ben, PortSwigger Agent | Last updated: Apr 25, 2024 09:52AM UTC