Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Victim not responding in Lab : CSRF where token is duplicated in cookie

Parant | Last updated: Oct 10, 2024 08:53AM UTC

Dear support, In the lab mentioned in the title, whenever I click on "deliver exploit to victim" in the exploit server, the victim does not make a get request to the /exploit file of the exploit server. More precisely, the victim was able to perform this GET request to /exploit only once. I have screenshots of the access log in case you need it. Considering how often your labs that have a victim are malfunctioning I'm beginning to wonder whether the exam is reliable or not.

Parant | Last updated: Oct 10, 2024 09:45AM UTC

I waited for the lab to reset, I did not modify anything in the exploit server's code (so It's delivering the Hello World message). I tried to deliver the exploit to the victim several times (I waited a minute between each trial), and looking at the access log I can see the victim has only sent the get request to /exploit the first time. I'm pretty sure the lab is bugged after this test.

Ben, PortSwigger Agent | Last updated: Oct 10, 2024 04:51PM UTC

Hi Parant, I have just run through this lab and been able to solve it using the solution provided - what does your exploit look like?

Parant | Last updated: Oct 11, 2024 06:55AM UTC

Hi Ben, I did try with the solution provided, but that's not what I'm discussing here. The issue is that the user did not even get triggered when I click on "deliver exploit to victim". I tried again today, the lab does not even launch, I get a 504 Gateway Time-Out.

Ben, PortSwigger Agent | Last updated: Oct 11, 2024 07:52AM UTC