Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Lab: CORS vulnerability with internal network pivot attack - step 1 not working

Andrew Nov 26, 2019 04:01AM UTC

Hi there,

While attempting to follow the instructions for step 1 it does not appear that after "store" the exploit and then "deliver exploit to victim" that the victim is actually visiting the exploit link. There is nothing in the access log to indicate that the exploit server has been visited by the victim.

I would have expected to see something like 192.168.x.x .... GET /exploit in the access logs which would naturally trigger whatever javascript is in the exploit.

I even went as far as just delivering the "Hello World!" to the victim, and nothing appears in the logs. Unless your code only triggers the victim on certain conditions? However, I would have thought the solution would work.


Ben Wright Nov 26, 2019 09:04AM UTC Support Center agent


I have just taken a look at this lab and was able to complete Step 1, with the corresponding GET request being shown in the access logs, so it is working correctly. What code are you entering into the exploit server for this step?

Andrew Nov 26, 2019 09:20AM UTC
Problem solved.

Found the reason why the initial script wasn't working. Corrected that and proceeded to solve remaining steps.

HINT: Go back through other labs to find a solution.

Ben Wright Nov 26, 2019 10:17AM UTC Support Center agent

Hi Andrew,

Glad to hear that you were able to successfully solve this lab.

Post Your public answer

Your name
Your email address