Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Exploiting cross-site scripting to steal cookies

Olivier Gaudel Oct 15, 2019 03:38PM UTC

I inject javascript code to steal cookies but the online lab doesn't simulate another user who views blog comments after they are posted ... any idea why ? Known bug ?

I don't use Burp Collaborator but a service hosted on Heroku.

Thanks for any help


Ben Wright Oct 16, 2019 11:08AM UTC Support Center agent

Hi Olivier,

Thank you for your message.

The labs are designed to be solved using the tools within Burp Suite. I have just tested the lab and was able to successfully complete it using the Burp Collaborator.

I would suggest using the Burp Collaborator and see if you have any further issues completing the lab.


Olivier Gaudel Oct 16, 2019 03:11PM UTC
Hi Ben,

Thanks for your answer.

Is Burp Collaborator included in Burp Community version ?

Regards

Olivier

Ben Wright Oct 17, 2019 07:49AM UTC Support Center agent

Hi Olivier,

Unfortunately, Burp Collaborator is only available in the Professional edition.

Having looked at the lab again, it does state:

“Instead of using Burp Collaborator, you could adapt the attack to make the victim post their cookie within a blog comment by exploiting the XSS to perform CSRF, although this would mean that the cookie value is exposed publicly, and also discloses evidence that the attack was performed.”

So perhaps you could investigate and use this method instead of Burp Collaborator if you are looking to solve the lab.

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer