Bug Reports - Page 2 - Burp Suite User Forum

DOM XSS in jQuery selector sink using a hashchange event exploit servernot working

I solved this challenge successfully, the XSS triggers everytime i click view exploit, however when i send it to the victim it doesnt do anything,and its still not marked as a solved challenge, this is my exploit: <iframe...

Victim not visiting the pages on several labs

Dear support, The labs Exploiting cross-site scripting to steal cookies and Exploiting cross-site scripting to capture passwords are not working properly right now. Not only does it take a lot of time to launch the...

unknown host error

please tell solution . when i browse and intercept and request is forward then error show is unknown host

Update Blocked

Whenever I run Burp Suite Professional and either choose an existing project or create a new I get the following error Update blocked An update is available, but we are unable to install it because your Burp Suite...

OAuth account hijacking via redirect_uri

I am working on the following lab: https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri I have followed the solution instructions. PoC: <iframe...

Lab: CORS vulnerability with basic origin reflection not working

In this lab, I'm stuck on step 5 of the solution: In the browser, go to the exploit server and enter the following HTML, replacing YOUR-LAB-ID with your unique lab URL: <script> var req = new XMLHttpRequest(); ...

Unable to quit Burp after undocking Proxy tab

I detached the Proxy tab and quit Burp and it saved that way. I want to change it back ... now if I re-attach the tab or use view -> restore default tab layout and try to quit, nothing happens. If I force quit, the tab...

not all labs are solving

Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded not solving. and Lab: Basic clickjacking with CSRF token protection even i tried the lab solutions.

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack

Hi! I'd just like a confirmation whether this lab is still solvable. I'm using the suggested solution script with my own server IDs: <script> if(window.name) { new...

Issues on the proposed solution to Lab: OAuth account hijacking via redirect_uri

We tried to solve https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri using the proposed solution. In particular, to steal the authorization code, such solution specifies to have the...

solved lab is showing not solved

i've succesfully sovled the lab Method-based access control can be circumvented but it shows that i dint solve it when i am redirected to the homepage

CSRF Labs Broken?

Hi, Is it possible the CSRF labs are broken? I have attempted the following: - https://portswigger.net/web-security/csrf/lab-no-defenses -...

collaborator dns changed to oastify.com ?

has been mail collaborator switched to use oastify.com domain ? version: Professional v2202.3.9 build 13363 bodik

Disappearance of the 'Proxy' Tab

Hello, I'm having trouble locating the 'Proxy' tab, which is hindering my ability to intercept requests. Attached are relevant screenshots for...

burp browser does not open in ubuntu 24.04

I recently upgraded my system to ubuntu 24.04 lts (previously it was 22.04). after that when i tried to open the burp browser, the buttons do not respond. the automatic scans work without problems, apparently the problem is...

Chromeium not working properly

I am attempting to to the brute-force lab 1 and I know I have to paste the url of the login page to chromium but whenever I try and foward it the browser just goes white and nothing shows up. I believe this is a bug with...

Decoder hash buttons broken?

Are the decoder Hash buttons working? text would put of MD5 hash of 'Foobar' shows as '?Õs?ª»¾e¾5Ëæ?àm' instead of '89D5739BAABBBE65BE35CBE61C88E06D'. I'm on Burp v1.6.31

Lab: CSRF where token validation depends on request method

After I paste the CSRF exploit into Body part, I am clicking on the "Store" button firstly. When I click on the "View exploit" button, it changes the user email address. So the exploit works truely. But if I click the...

What type of vulnerability is IDOR?

Does IDOR come under server-side vulnerability or client-side vulnerability?

Bchecks - Passive checks not consistently applied to repeater issued requests + once per path

Hey there :) We spend a lot of time tinkering in the repeater tab. I saw that, after enabling a passive check, it will not necessarily trigger upon receiving the response from a repeater issued request. Example bcheck...