Bug Reports - Page 3 - Burp Suite User Forum

"Blacklisted" responses in the WebSocket handshake manipulation lab

Hi, for some reason I started receiving an Unauthorized response during the lab "Manipulating the WebSocket handshake to exploit vulnerabilities" This only occurs at the /chat endpoint Request url (GET from...

Macro editor - Configure item Parameter Handling

Hi, I want to create a session handling rule with an appropriate Macro. When configuring the item I want to use a value in my request that "Derives from prior response". But the problem I have is that I only can "Use...

Cluster Bomb Attack Type

The second payload position for the cluster bomb attack type, keeps using the same password through out the attack. Instead of each email and password pair, or each username and password pair.

Copy/Paste only working in part of Burp suite with non-qwerty layoyt

I'm encountering an issue with Burp where the copy-paste functionality does not work within the Repeater tab. However, the copy-paste works fine in the search bar of the application. I am using Colemak keyboard layout. It...

Prototype Pollution Labs Not Solving

Hi, I have been able to get the alert to popup in the "Client-side prototype pollution via flawed sanitization" lab, but it does not mark as solved. I also checked the correct solution and tried that as well, but no...

Basic clickjacking with CSRF token protection can't be solved

https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected I have tried with firefox and chrome.I am doing exactly what the solution says and I have also watched the community solutions.But none of them work...

broken browser

https://youtu.be/EKFt25C6sdQ <--video

Error message

I get this error when loading Burp with a stored project. Update blocked An update is available, but we are unable to install it because your Burp Suite installation directory /Applications/Burp Suite Professional.app,...

Burp Suite - Intruder

Hi, I'm recently trying to solve the Business Logic Lab (https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-low-level). After many tries, I couldn't solve the lab and when I try to follow and...

Old Bambda configuration seems to persist even when I go back to default settings

Hi team. When doing the "Exploiting path mapping for web cache deception" lab I created and applied (also saved) the following Bambda, ========== if (requestResponse.contains("X-Cache: hit",true)) { ...

Error: Remote host terminated the handshake

Hi! I'm struggling to proxy traffic via Burp and keep getting "Remote host terminated the handshake" on a particular domain I'm testing. It works on other websites. Things I've tried: - Multiple browsers (firefox,...

Crawling a web site results to bloated project file

When crawling a web site, using crawling and audit's default settings. my project file size grows almost to 20GB. And when the project file gets that big, the backups will also file (not enough space on my disk). When i...

Victim not responding in Lab : CSRF where token is duplicated in cookie

Dear support, In the lab mentioned in the title, whenever I click on "deliver exploit to victim" in the exploit server, the victim does not make a get request to the /exploit file of the exploit server. More precisely,...

Community version will not open the built-in browser

I have a VM with Linux distro on it and I installed Burp community and the first thing I did was select the open browser button from the proxy tab, it did not open. I then configured settings like my safari browser settings...

OAuth authentication labs

Hello, I have an issue with exploit server in all labs in Oauth authentication when deliver exploit to victim they don't open the /exploit path i don't get any log about if victim request this path i even tried to leave the...

Content-Length is update even "Update Content-Length" option is unchecked

In the repeater, Content-Length header is update even the "Update Content-Length" option is unchecked, I found this when I follow the lab "HTTP request smuggling". When check with the Logger show that Content-Length is...

Burp Suite Extension no longer supported by Chromium and is disabled

I upgraded my Burp Suite this morning, and upon reopening the Burp browser, I got a message stating Burp Suite was turned off. When viewing the extension in My Extensions, it has a red exclamation mark and says, "This...

Faulty Lab: "CORS vulnerability with trusted insecure protocols"

Hi, maybe there is bug inside the laboratory "CORS vulnerability with trusted insecure protocols". The following exploit script works with Burp's Chrome: <script> document.location =...

Incorrect Payload order in Sniper and Pitchfork Modes

I'm encountering a problem with Burp Suite's Intruder tool where payloads are being placed in the wrong fields during an attack. In both Sniper and Pitchfork attack modes, I've marked two different positions in my request:...

Can't pass the "CSRF with broken Referer validation" lab even if my solution works

Lab-URL: https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken I found a solution that works when I tested with `wiener:peter` but it doesn't get accepted when I deliver...