Bug Reports - Page 13 - Burp Suite User Forum

Academy lab bug - Web shell upload via extension blacklist bypass

This is a file upload vulnerability lab, but it seems it's broken since I only get "missing parameter" error even when trying to upload a legit comment and...

Lab: CORS vulnerability with basic origin reflection - exploit server is broken

view exploit working, log shows what is should for wiener, but not when delivered see gif: https://ibb.co/b63N1gM Please note that I used the same script as in the solution and still not working! My script was: only...

Error regarding "Finding and exploiting an unused API endpoint" lab

Hello, I wanted to bring to Portswigger's attention that there is an error with the "Finding and exploiting an unused API endpoint" lab. When using the OPTIONS method to discover what methods are allowed by the API, the...

Lab: SameSite Strict bypass via sibling domain - why the get request to .js is not shown in history? Bug?

Browser network tab shows it, but burp not, even not with "show all" setting at the http history tab. Pls see image: https://ibb.co/7jVxDKn Bug in lab?

Burp Suite's "Import project file" feature fails for projects with Repeater tab groups

Bug overview: There exists a bug in Burp Suite's "Import project file" feature. This feature fails when importing Repeater data that contains tab groups. Environment details: This bug was reproduced on Debian 13.2.0...

Unable to install any bapp extensions.

After updating Burpsuite to 5.5, I'm not able to install any BApp extensions. I don't have a proxy in my environment, and am able to get to portswigger.net. Help / Check for Updates gives me a network error. In Wire...

Proxy (Chromium) not working on some sites

I am currently using the latest version of Burp Suite Community and I cannot get access to any sites without needing to relaunch the browser. On initial launch, the proxy works for the Chromium browser, but after a while it...

Targeted web cache poisoning using an unknown header - strange behaviour with repeater

To solve the lab, we have to add the header x-cache. If i intercept the request to the home and add the header with a random value and i send the request, i don't receive any response. If from the repeater inspector, i...

Internal Browser Failing to start

Hi, Recently, as of last Wednesday July 4, 2024 my internal browser is failing to start. I have run the browser diagnostics and everything came back green/OK. I also ran the diagnostics tool and did not see any obvious...

Academy Lab Feedback: Exploiting NoSQL operator injection to bypass authentication

Hi, I was working on this lab, and found the description mis-leading. It suggested that I needed to login as the user called "administrator" to solve the lab, whereas the actual user required was not called...

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

It's not possible to pass this lab, because there is not Host header.

highlighted / focused request loose focus in proxy history when new requests arrive

In a recent update to Burp, the current selected request in the HTTP history looses focus when new requests arrive. This can be a bit frustrating as we can no longer select a request and use the arrow keys to jump to the...

burp browser not working

checking headless browser not working in burp's browser helth Aborting checks due to errors. net.portswigger.browser.Znw: No dev tools websocket output from local chromium process 27668

Challenge is solved when it should not be

Hi support, I was on the challenge "Exploiting HTTP request smuggling to capture other users' requests" and it got solved before I was able to make the simulated user's request beeing displayed in the comment. As a...

No solution seems to work on this lab

Lab: DOM XSS in jQuery selector sink using a hashchange event I have tried <iframe src="https://0a51000e03217e2682062f3600220028.web-security-academy.net#" onload="this.src+='<img src=x onerror=print()>'"> <iframe...

Issue with Lab: Exploiting an API endpoint using documentation

Is everything OK with this lab? Running into some problems with it: 1. The Update email is not working properly. It throws the error: undefined: Malformed URL: query only supported with GET (undefined) 2. The /api route,...

Issue importing client TLS certificate

Hello I am having issue importing a .p12 in the "Client TLS certificates". Error is "Failed to load certificate: Tag number over 30 is not supported" Passphrase is composed of 44 alphanumerical characters. I am...

Not working Burp Browser

I can't start burp browser after last updates. I receive only Burp Browser Error with no text. The same situation appears on Ubuntu 24.04 and fresh Kali Linux virtual machine

Cache Poisoning - Unkeyed Header and Unkeyed Cookie Labs Not Working?

I solved both labs since I can trigger the correspondent alerts after requesting the main homepage address from my browser, but the Not Solved label never changes to Solved. Are there any issues related to the user who is...

Lab not being marked as solved.

Hi there, the Stored DOM XSS lab is not being marked as solved. I have followed all of the solutions provided and had the XSS execute but the lab will not mark as being resolved.