Bug Reports - Page 14 - Burp Suite User Forum

Stealing OAuth access tokens via an open redirect

Burp Suite UI Crash?

Hi, Sometimes I found that the Burp UI crashes like this: https://postimg.cc/bZ5nHNWV https://postimg.cc/47SjXcSb My PC uses Windows 11, CPU AMD Ryzen 9 5950X, 64GB RAM, RTX 3090 Graphic Card with 4k resolution...

OAuth account hijacking via redirect_uri works with chrome but not using burp's chromium

When I store the exploit and view it using Burp's chromium I see the following error in my iframe. However, that's not the case when I use my chrome browser. Due to this I'm not getting the auth code from admin to solve this...

Labs are not getting solved

Hey Team I am observing a bug in my portswigger account , I am solving the labs in academy but when I refresh the page it shows me not solved. I have tried to solve the same lab many times and I do solved it , the page also...

Adding Hotkeys makes the Burp Unopenable

I had added a hotkey for "add to scope" which was "ctrl+DOWN" after adding this the burp worked good but when the next day i try to open burp it didn't run rather it showed an error which was "Failed to create/access...

Academy XSS Lab Doesn't Accept My Solution

hi, lab with the title: "DOM XSS in document.write sink using source location.search" doesn't accept "https://LAB-ID.web-security-academy.net/?search=%22onerror=%22alert(1)" as a solution even though the alert shows up.

labsolved but shows unsolved

Hi, I have solved CSRF vulnerability with no defenses but it does not show solved after solving the lab, I've tried repeating several times but it still doesn't work, Thanks

Horizontal Scrolling in Proxy History on Linux (+ Tiling Window Manager)

Good morning, I would like to report an issue that me and other people in our office are facing. We use BurpSuite Professional in Kali VMs, and most of us use tiling window managers. When scrolling horizontally with...

Burp sending high volume of Emails

Hi team, I am reaching out because I had an incident with my customer. He received 1200 emails in half an hour while using Burp. I would appreciate it if you could share a solution for this problem/bug. Thank...

Exploit server does not behave the same depending on the browser

Hi, I've observed that the exploit server does not behave the same depending on which browser it is opened on. I've been writing and storing the exact same html content in the exploit server from Firefox and from Burp's...

Performance Issues on web academy and portswigger.com login

I am not running any automated scans against the target and have limited extensions loaded. I am regularly waiting 20 seconds for a single request, often having to cancel and resend. Logging into portswigger.com I even...

Basic Clickjacking Lab

When I try to perform the View Exploit function on this lab I receive "Resource not found - Academy Exploit Server", stopping me from completing the lab.

solving Labs

Hi, since yesterday some labs can't be solved even if i copy and paste the proposed solution.the labs are https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink,...

Issue with Burp Suite Pro Renewal - License Key Not Received

I recently renewed my Burp Suite Pro subscription and noticed a charge of $450 on my account. However, I have not received any email update or license key associated with this renewal. I have checked my spam/junk folders and...

Crawling wont start on MacOS Sonoma

I'm using Burp Pro 2024.5.3 and when I start crawling via Scan -> Crawl, a Chromium popup appears on my dock, but it won't open, and the crawl only retrieves robots.txt.

ratelimiting intruder issue / inconvenience during the auth lab

Hi Team, During the lab I ran into an issue with the rate limiting of the community edition with the Lab: Username enumeration via account lock. Here you need to lock the account to figure out the username and see...

Solution for "Lab: SSRF with blacklist-based input filter

Hello, the intended solution of this lab doesn't seem to work. After some testing I couldn't find a way to "enter" the admin area. "Encoding" the IP address works fine, but enter "admin" doesn't work at all. I tried...

JTree not rendering correctly with BurpSuite's Look And Feel

I am working on improving on of our extensions and I noticed, that a JTree does not render correctly with the default look and feel of BurpSuite. Icons are missing and the indentation of individual notes are also not...

403 Forbidden in sollution in Academy Web cache poisoning via ambiguous requests

Hello, according to the Sollution when i use 2 HOST headers such as GET /?cb=123 HTTP/1.1 Host: 0aa300a60483e49080313f3f008e0077.h1-web-security-academy.net Host: example.com I receive HTTP/1.1 403...

Academy clickjacking lesson doesn't give you credit

I have tried to complete the lab: "Lab: Basic clickjacking with CSRF token protection", and thought I had a correct answer but when I sent my exploit, the lab was still not solved. After much trying I checked the community...