Bug Reports - Page 2 - Burp Suite User Forum

No more activations allowed for this license

I get this for when I try to move my Burp installation to a new computer at work. Can you please add some more for me. This message is really weird, as you're licensing terms seems to be "yeah, it's a per user license, and...

Lab: Web cache poisoning via ambiguous requests

Hi, When I try adding a duplicate Host header in this lab, I get a 404 status code. The solution reads: "Notice that if you add a second Host header with an arbitrary value, this appears to be ignored when validating and...

CSRF ACCESS THE LAB not accessible

I am experiencing issue in accessing the LABs specifically for the CSRF portion. Is it me only?

Lab Throwing 504 Error

Hello, Lab: SameSite Lax bypass via cookie refresh Is throwing a 504 Gateway time-out error, I had no issue working and using other labs in CSRF and this one will not load. The lab might need to be reset. Thank you

Payloads still encodes post unchecking 'URL-encode these characters'

The intruder is not encoding anything except . (dot) Original Payload: test@domain.com Once intruder attack begins, payload looks like this: test@domain%2ecom I have unchecked URL encoding under payloads tab already,...

Burp Suite Community Edition is not intercepting response for JS script.

Hello, I've unchecked all of the response and request interception rules, this should in theory intercept all responses and requests. For some reasons I'm able to intercept the request for a JS script but not the...

504 Gateway Timeout

Hello, I am using Burp Suite Professional and when completing the labs it randomly gives me an 504 Gateway Timeout. I have to close the lab completely and load it again, which consumes time because it does it quite a lot. Is...

Are there issues with the Academy labs?

I have been using the Academy in the last 3 days and I have been experiencing random periods when labs do not work properly, sessions with the server time out, and so on. Are you aware of this issue? Perhaps are you...

Payload still encodes after unchecking "Url-encode these characters" checkbox

Found on Burp Suite Community Edition v.2020.12.1 1. I'm trying to start intruder attack with following payload: type: recursive grep initial payload: 2021-01-12 16:27:24.056815 (timestamp with characters wich...

ClickJacking labs remain as not solved

Hi PortSwigger Team, Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just...

No academy lab is working

Whe I click Access the lab button on any vulnerability lab it opens the page with 400 bad request.

Lab Not Working Anymore : CORS vulnerability with trusted insecure protocols

I am trying to solve the mentioned lab, with the payload provided by the academy, by the payload isn't working. When i view the payload, the request is indeed sent to stock subdomain, but it replies with...

Basic clickjacking with CSRF token protection

I'm having trouble with this lab. When I click on 'View exploit' I have the login page coming up, of course with no 'delete' button. I'm using Burp's browser Chromium and here's my script, of course I'm changing the lab Id...

Lab: DOM XSS in jQuery selector sink using a hashchange event

Hello! I managed to trigger the XSS payload on the exploit server but the lab is not marked as solved. I used this payload for the response body on the exploit server: <iframe...

Burp Browser displays "ERR_CONNECTION_RESET" on new M3 Macbook Pro

Hi! Long time Burp Pro user (4 years). Having trouble with the Burp Browser on M3 macbook pro. VPN is off, AntiVirus is off, Proxy setting offs. Does not work on multiple WiFi networks including hotspot. Any additional...

Lab: Exploiting cross-site scripting to capture passwords

Hello! I think the description of what the simulated victim does should be updated on this lab. I used XSS to relace the current page content with the login form (after fetching it dynamically), then hook on the submit...

Labs keep crashing

Hi, I am currently doing the API labs. Every time i try to do a lab in the academy, the servers keep crashing and i have to wait approx 10 minutes for them to come back online and start working again..Just for them to...

Receiving Kettle Message in Repeater for Request That Shouldn't Be Kettled

Hi, This would be easier to explain with screenshots but I do my best to explain below. I am working on the "Authentication bypass via encryption oracle" lab for business logic vulnerabilities. I have submitted a...

Lab multistep clickjack

I am stuck on this lab, and cant seem to complete it. I've gone through the proposed solution multiple times as well as looked up other online solutions. Whenever i try to view my own exploit i get redirected to the...

Lab: SameSite Strict bypass via sibling domain - solution is broken

Hi this is my solution and and works fine when clicking "view exploit" (i see my messages at the access log) but when I deliver to victim there is no incoming request. can you pls fix the lab? I was going crazy about what...