Bug Reports - Page 16 - Burp Suite User Forum

"Your level" not counting?

Dear support, I've been enjoying my journey through your labs, and learning an absolute ton! Weirdly though, even though i'm solving labs and marking learning materials as completed, they get marked as solved/completed,...

Burp changes response headers case

I noticed that during http2 requests BURP changes the response headers to "First Capital" so any reponse header like some-somethingelse-anything : any value will be replaced as Some-Somethingelse-Anything : any...

CSRF LAB BROKEN - CSRF where token is duplicated in cookie

Hey Team, When i try to deliver the exploit or test in my browser, this lab give me its invalid csrf although i have checked many times. Given is my payload. <html> <body> <h1>Hello World!</h1> ...

Issue with windows remain open (frozen), on macbook air m2 running sonoma 14.5

I have an issue, every time I get a confirm window, the Windows ie edit proxy listener doesn't close, it just stays there, it happens to me on the proxy listener, and also on the intruder module, when closing the scan, I was...

1st Academy Click Jacking lesson

When doing the initial click jack lab the exploit sever view isn't the same as what's described. When using the https://0a3e0068041332ff820d5100003a00a8.web-security-academy.net/my-account. the exploit view is showing...

Low labs performance

I'm getting slow responses (up to 20 seconds delay) when working at least with CSRF labs (haven't tried other labs yet), examples are: Dec 07 11:20:18 MSK...

Client error in a Lab

The first lab for the CSRF vulnerability is not working properly. When I click "View Exploit" I receive a client error. I wonder if there is any way to fix this. Thank you in advance.

Slow lab response times

The lab 'Lab: Reflected XSS with event handlers and href attributes blocked' (https://portswigger.net/web-security/cross-site-scripting/contexts/lab-event-handlers-and-href-attributes-blocked) seems to be responding very...

correct secret not accepted by lab

Hey there, in the lab: Lab: Web shell upload via Content-Type restriction bypass I solved it via uploading a webshell and cat of the secret file. The corresponding secret was not accepted as a solution. I did get...

Lab: DOM XSS in jQuery anchor href attribute sink using location.search source

The solution javascript:alert(document.cookie) does not work because the cookie is set as HTTPOnly

Web shell upload via extension blacklist bypass;

I've followed the directions to the letter and then tried the video tutorial, both times this the the final response from GET /files/avatars/exploit.l33t or the video's GET /files/avatars/shell.shell: " HTTP/2 500 Internal...

Unable to manuplate requests in Proxy Intercept, Repeater and Intruder.

I am using standalone jar Burp-Suite professional with version of 2024.5 in Proxy intercept, Repeater and Intruder all of them mentioned are adding white spaces and not selecting whole request i want to do it and overwriting...

LAB: No SQL Exploiting NoSQL operator injection to extract unknown fields

I have a question about lab this, I have to rescan find attributes only array is 0 = id 1 = username 2 = password 3 = email I haven't find the token because I tried Sequent 0 - 10 not find a token Please help tell...

Unable to check for updates due to network error, in return resulting to license activation reached its limit

After installing burp and loading the license and tried to do update suddenly the burpsuite pro has an error saying "unable to check for updates due to network error. Please check your network configuration and try again". I...

Content security policy: malformed syntax due to values in sandbox directive

Burp version 2024.4.4 Found an issue in the Live audit, when browsing on a site which had CSP header with a sandbox directive and values (which are optional but valid cf....

Lab: CORS vulnerability with basic origin reflection (exploit working only if delivered)

The exploit works only when delivered to the victim. By clicking on "View exploit" the browser (even the Burp's browser) block third-party cookie and CORS requests. This problem affects also the solution exploit.

Intruder copied new tab behavior does not set resource pool

Hi, I have selected the option: Intruder -> New tab behavior -> Copy configuration from last tab When I now send a request to intruder, the "Payloads" and options from "Settings" are correctly set in the new intruder...

Error importing certificate in chrome -The Private Key for this Client Certificate is missing or invalid

I am having problems with chrome importing the burpsuite certificate I am getting this error: Certificate Import Error The Private Key for this Client Certificate is missing or invalid This only happens to me after a...

Not supporting ÅÄÖ characters in Extensions

Hello! I am not sure if this is a burp issue or a extension creator issue. However, i will still make an attempt in a hopeful fix to my issue! * Specs: Burpsuite v2021.10.3 Windows 10 Pro OS Build 19044.1348 Jython...

No more activations allowed

I have run into a bit of trouble with my pc lately, and as such had to reinstall vm's and burp as well. But now, when activating my license, I get the "No more activations allowed for this license" Is there any way I can...