Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

BSCP exam bug

Vasiliy | Last updated: Oct 30, 2023 09:44PM UTC

Hello! I had an BSCP exam finished few minutes ago and I failed it. I solved first app in one hour and other time I spent on second app, but can't go even through the first step, I think it might be some issue on the app's side. I had an app with "/resources/js/tracking.js" file, which I suppose meant to be vulnerable to cache poisoning/host header poisoning(as it always was in labs) , but in fact, there is no web cache using in this app and in attempt to exploit host header I got a "Invalid hostname" error. There was no other functionality in app on this stage, except standard search and password reset, but those weren't vulnerable to anything. I found post with similar problem: https://forum.portswigger.net/thread/bscp-exam-ddc18d29e03d6cc8474bbfd711. As you don't provide public answer to this, I hope you will help me understand too whether it was a bug or the app was working correctly. Looking forward to your reply and assistance. Best regards, Vasiliy

Ben, PortSwigger Agent | Last updated: Oct 31, 2023 01:37PM UTC

Hi Vasiliy, We have just checked your specific exam instance and are happy that there were no issues and that both apps were indeed solvable.

David | Last updated: Mar 24, 2024 12:49PM UTC

Hi, I also just finished the test and the same thing happened to me, the TRACKING.JS file appears but no cache site exists on the web. It also returned the INVALID HOSTNAME error when using certain headers. I don't know if it is my error or PortSwigger's error.

Ben, PortSwigger Agent | Last updated: Mar 25, 2024 09:03AM UTC

Hi David, Can you email us at support@portswigger.net and include details of which of your applications you were having issues with?

VITALII | Last updated: Apr 24, 2024 08:10AM UTC

Hello! I have the same issue. I just finished taking the BSCP, and in the second appendix, I received trackings.js. However, in this lab, neither Web-Cache poisoning nor HTTP Request Smuggling nor Hostheader Attack is working. I don't know if this is my problem or an error in the lab. Could you please check?

Ben, PortSwigger Agent | Last updated: Apr 24, 2024 10:24AM UTC

Hi Vitalii, For questions about your specific exam are you able to email us at support@portswigger.net and we can respond from there.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.