Bug Reports - Burp Suite User Forum

Believe there is a bug in the Exploiting NoSQL operator injection to bypass authentication web academy

Have confirmed can use NoSQL injection to login as wiener (injecting on username, password, or both)... but when attempt to login as administrator (or any other account), get a 500 error (unexpected # of results found). ...

issue with 'add to sitemap' function

earlier on this year i was having issues with adding requests to sitemap under via the Repeater... Support told me then to please 'add to sitemap' using via the Logger. that worked well but now i am having another issue. the...

BurpSuite Professional v2023.1.2 unable to connect to https://www.google.com

Just freshly installed Burp Suite Professional version 2023.1.2 Launched built-in web browser from Proxy -> Open browser. Tried to connect to https://www.google.com and received No response received from remote server....

Lab: Internal cache poisoning (Unintended Solution)

Hello ^^, the lab: https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-internal, has a unintended solution! #) Steps Explanation We can overwrite the Host...

Injection of line break (\r\n) into :path pseudo header gets stripped

While doing the lab "Web cache poisoning via HTTP/2 request tunnelling" I've noticed that the \r\n bytes are getting stripped when issuing a request in Repeater. Confirmed this issue in the Logger: Intended :path value: /...

Match and replace rules doesn't work

Hello, I tried everything, "Match and replace rules" in the proxy settings doesn't work. Match (regex): ^User-Agent:.*$ Match (regex): User-Agent:.* Match (literal): User-Agent: Replace: User-Agent: HackerOne...

Lab: Cache key injection (Unintended Solution)

Hello, while I was doing Lab "Lab: Cache key injection" https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-cache-key-injection, I ended up finishing it very...

WebSocket messages can no longer be sent to Repeater

Hi, I and some of my colleagues are experiencing a bug where WebSocket messages can't be sent to Repeater. I tested both Burpsuite v2023.6.2 and v2023.7.-21628 installed on a Linux system and used the following steps to...

Host-level BChecks only run once per host

Hi, I tried experimenting with the new BChecks feature in Burp 2023.6. It's a nice new feature. I found that host-level BChecks only run once per host, which according to the documentation might be intentional. From...

Lab SSRF with whitelist-based input filters

Hi, The document says the following You can embed credentials in a URL before the hostname, using the @ character. For example: https://expected-host:fakepassword@evil-host While the lab solution says Change...

Turbo Intruder - X-Protobuf

Turbo intruder does not seem to support "Content-Type: application/x-protobuf". Try this on recaptcha v3.

i can not access labs

when i open labs it load a page says 'Bad Request' kind regards, Muhammad

UI Broken / Tabs gone after opening a saved temporary project

Hi team! Yesterday I was using a temporary project in memory. At the end of the day I still saved it using: Project -> Save copy. After opening the saved project today, it opens without any of the tool tabs (target,...

Burp possibly doesn't close HTTP2 gRPC connection gracefully

First of all, thank you for your great efforts to make HTTP2 available in Burp. I'm using Go gRPC example application named RouteGuide(https://github.com/grpc/grpc-go/tree/master/examples/route_guide) to check Burp can...

Tabs and tab groups disappeared after Burp restart

I worked on Repeater for a few days and added tabs and tab groups for the endpoints I was testing. Eventually, I created one tab that messed up a few tab groups. Then, after organizing the new Repeater tabs in groups, I...

DOM Invader Prototype Pollution Lab

Hello I'm following along the prototype pollution lab. In the section "Finding client-side prototype pollution gadgets using DOM Invader" I follow the solution steps to solve the lab but when I click on the "Scan for...

ClickJacking labs remain as not solved

Hi PortSwigger Team, Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just...

Exploiting cross-site scripting to steal cookies

hello, i don't have burp pro so i craft a script but he don't not working, i think the challenge have a problem take my script : ``` <script> window.onload = function() { var data = “csrf=” +...

Montoya Persistence setBoolean IndexOutOfBounds

Hi, I'm getting the following error when attempting to save a boolean value to Persistence: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 at burp.Zbg.ZjV(Unknown Source) at burp.Zknd.Zu(Unknown...

Glitch in the Burp Professional Edition 2023.7.2

I got the problem with Burpsuite Professional v2023.7.2 on windows desktop, sometimes when I use burp, the display will error like a follow my mouse wherever go. I don't know it's a glitch or anything. I have tried to clean...