Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web Security Academy, Lab: Exploiting cross-site scripting to steal cookies

Jari | Last updated: Nov 22, 2019 02:10PM UTC

Hi, This lab: Exploiting cross-site scripting to steal cookies, might be broken. I can only get my own session cookie sent to me, even with the proposed solution. It seems that the admin is not reading the comments.

Ben, PortSwigger Agent | Last updated: Nov 22, 2019 02:10PM UTC

Hi, I have just tried this lab and was able to solve it using the solution provided. Are you using the payload supplied in the solution? Have you waited for a few seconds before polling the Collaborator to see if a victim has viewed the blog?

Burp User | Last updated: Nov 22, 2019 03:01PM UTC

Hi, I edited my question, but it seems that didn't come through. I'm actually not using Collaborator, instead i have it send the data to my own listener on the internet. Other than that i used the solution provided. When i read the blog myself, i do receive my own cookie, but that is the only traffic i get from this lab and as such i was thinking maybe the bot wasn't reading the blog. Maybe without Collaborator i just need to complete it via CSRF then...

Michelle, PortSwigger Agent | Last updated: Nov 22, 2019 03:05PM UTC

Hi If you're not using Burp Collaborator then you can adapt the attack as described in the note on the lab, exploiting the XSS to perform CSRF. Good luck and let us know how you get on.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.