Bug Reports - Page 3 - Burp Suite User Forum

Academy lab bug - Web shell upload via extension blacklist bypass

This is a file upload vulnerability lab, but it seems it's broken since I only get "missing parameter" error even when trying to upload a legit comment and...

Lab: CORS vulnerability with basic origin reflection - exploit server is broken

view exploit working, log shows what is should for wiener, but not when delivered see gif: https://ibb.co/b63N1gM Please note that I used the same script as in the solution and still not working! My script was: only...

Error regarding "Finding and exploiting an unused API endpoint" lab

Hello, I wanted to bring to Portswigger's attention that there is an error with the "Finding and exploiting an unused API endpoint" lab. When using the OPTIONS method to discover what methods are allowed by the API, the...

OAuth authentication labs

Hello, I have an issue with exploit server in all labs in Oauth authentication when deliver exploit to victim they don't open the /exploit path i don't get any log about if victim request this path i even tried to leave the...

Lab: SameSite Strict bypass via sibling domain - why the get request to .js is not shown in history? Bug?

Browser network tab shows it, but burp not, even not with "show all" setting at the http history tab. Pls see image: https://ibb.co/7jVxDKn Bug in lab?

Burp Suite's "Import project file" feature fails for projects with Repeater tab groups

Bug overview: There exists a bug in Burp Suite's "Import project file" feature. This feature fails when importing Repeater data that contains tab groups. Environment details: This bug was reproduced on Debian 13.2.0...

Unable to install any bapp extensions.

After updating Burpsuite to 5.5, I'm not able to install any BApp extensions. I don't have a proxy in my environment, and am able to get to portswigger.net. Help / Check for Updates gives me a network error. In Wire...

Copy/Paste not working

I work in web security in Korea and have been a long-time user of Burp products. Primarily, I use them on MacOS. I report bugs not only because they inconvenience me but also because my colleagues are experiencing the same...

Proxy (Chromium) not working on some sites

I am currently using the latest version of Burp Suite Community and I cannot get access to any sites without needing to relaunch the browser. On initial launch, the proxy works for the Chromium browser, but after a while it...

Targeted web cache poisoning using an unknown header - strange behaviour with repeater

To solve the lab, we have to add the header x-cache. If i intercept the request to the home and add the header with a random value and i send the request, i don't receive any response. If from the repeater inspector, i...

Internal Browser Failing to start

Hi, Recently, as of last Wednesday July 4, 2024 my internal browser is failing to start. I have run the browser diagnostics and everything came back green/OK. I also ran the diagnostics tool and did not see any obvious...

Freeze on Screen Lock (macOS)

Burp Suite Pro seems to lock up every time my screen lock activates. This is Ventura 13.4 running on M2 silicon with v2024.3.1.3 When resuming, the only button that works is close and then the confirm dialog shows which...

Academy Lab Feedback: Exploiting NoSQL operator injection to bypass authentication

Hi, I was working on this lab, and found the description mis-leading. It suggested that I needed to login as the user called "administrator" to solve the lab, whereas the actual user required was not called...

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

It's not possible to pass this lab, because there is not Host header.

highlighted / focused request loose focus in proxy history when new requests arrive

In a recent update to Burp, the current selected request in the HTTP history looses focus when new requests arrive. This can be a bit frustrating as we can no longer select a request and use the arrow keys to jump to the...

Burp Academy: Lab: Authentication bypass via encryption oracle, Missing Error Messages

Im trying to complete the lab: "Authentication bypass via encryption oracle" without success. I followed the regular solution, as well the community based video, but it seems, that i dont receive any error messages, when i...

burp browser not working

checking headless browser not working in burp's browser helth Aborting checks due to errors. net.portswigger.browser.Znw: No dev tools websocket output from local chromium process 27668

Lab: CORS vulnerability with basic origin reflection not working

In this lab, I'm stuck on step 5 of the solution: In the browser, go to the exploit server and enter the following HTML, replacing YOUR-LAB-ID with your unique lab URL: <script> var req = new XMLHttpRequest(); ...

Challenge is solved when it should not be

Hi support, I was on the challenge "Exploiting HTTP request smuggling to capture other users' requests" and it got solved before I was able to make the simulated user's request beeing displayed in the comment. As a...

No solution seems to work on this lab

Lab: DOM XSS in jQuery selector sink using a hashchange event I have tried <iframe src="https://0a51000e03217e2682062f3600220028.web-security-academy.net#" onload="this.src+='<img src=x onerror=print()>'"> <iframe...