Bug Reports - Page 3 - Burp Suite User Forum

Can't pass the "CSRF with broken Referer validation" lab even if my solution works

Lab-URL: https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken I found a solution that works when I tested with `wiener:peter` but it doesn't get accepted when I deliver...

Burp possibly doesn't close HTTP2 gRPC connection gracefully

First of all, thank you for your great efforts to make HTTP2 available in Burp. I'm using Go gRPC example application named RouteGuide(https://github.com/grpc/grpc-go/tree/master/examples/route_guide) to check Burp can...

I can't intercept nor can I check HTTP history

I tried changing some of proxy settings uninstalling and reinstalling, changing port and address but nothing worked and I don't know why.

I got Secure Connection Failed everytime I close and reopen burp suite

Hello, I need help solving this problem. Every time I close and reopen Burp, I have to delete the old certificate and regenerate a new one. If I don’t do this, I keep getting a "Secure Connection Failed" error. How can I...

Intruder result table's filter by 'highlight' and 'comment' is not working.

I have noticed, if i highlight and/or comment some items from attack result table and try to filter them by these annotation, it doesn't work. I have faced this in version : "burpsuite_community_linux_v2023_2_3.sh". I have...

Lab Exploiting path delimiters for web cache deception - Victim not visiting the exploit page

Hello, the victim in the lab in the object does not seems to visit the exploit page when clicking on "Deliver exploit to victim button". I've experienced the same problem with multiple laboratory instances but it seems to...

Lab: Bypassing rate limits via race conditions - Broken time limit

This labs seems to be broken. Normally it should have a time limit of 15 minutes. Yesterday I started the lab, but it started the lab with 00:00 time. This morning I tried again, same 00:00 time. I also don't see the option...

Burp Browser fails Cloudflare Turnstile verification

Hi, I would like to know if there are any way that I can get Burp Browser to pass Cloudflare Turnstile verification. The website I am testing (www.example.com) uses an OAuth2.0 login from a different site...

Faulty lab: "CORS vulnerability with trusted insecure protocols"

Lab on the "CORS vulnerability with trusted insecure protocols" seems to now work. Payloads tested: <script> ...

HTTP match and replace rules buttons not working

Hi Burpsuite team, I just installed the new Burpsuite version, 2024.9, and noticed that in the "HTTP match and replace rules" section, the Add and Edit buttons do not work. I restarted Burpsuite but the problem...

Importing OpenAPI v3.0 spec for scan - "Couldn't read the API definition. Review the definition and correct any syntax errors."

I used a private repo (hence not sharing) OpenAPI .yaml spec to augment a collection, then used redocly-cli to create a v3.1 SON collection and then used @apiture/openapi-down-convert (npm) to downgrade the v3.1 OpenAPI spec...

Burps In Browser Request

Hi all I’ve encountered an issue recently that I believe reflects a change in behaviour when testing CORS request blocks. In the past, when I needed to test CORS, I would make modifications and use Burp's "In-Browser...

Lab not solve - Reflected XSS protected by very strict CSP, with dangling markup attack

Tried https://skullhat.github.io/posts/reflected-xss-protected-by-very-strict-csp-with-dangling-markup-attack/ and customized script <script> ...

solved the lab and not appearing as solved

I tried everything and it is not working i even tried chrome and firefox both are not working LAB:CSRF where token validation depends on request method my code : <html> <!-- CSRF PoC - generated by Burp Suite...

Bug in Lab - Reflected XSS with some SVG markup allowed

Hi, first I want to thank you for these awesome labs! They really rock! Unfortunately I think something is wrong with this challenge:Reflected XSS with some SVG markup allowed. I am able to trigger an alert box, but it...

Activation Failed: No more activations allowed for this license

Hello support, I regularly install new instances of Burp Suite every few months for operations. However, I recently ran into a problem trying to activate a new instance. Any help would be appreciated.

Proxy HTTP History - viewing panes not updating

When using the Proxy HTTP History, the request and response viewing panes stop updating after a period of use. The selected request is highlighted in the top pane, but this does not change the contents of the view panes...

CSRF Labs Exploit Delivery Issue

For multiple labs, the exploit is being delivered to the victim, however, the exploit server logs don't show the victim user actually clicking on the exploit. Sometimes, this resolves automatically, however, in multiple...

Project repair generates project file with bad data

I have a project files which was corrupted owing to a power cut. Burp went through the repair process, but when opening the repaired file the Proxy tab is missing and the event log shows a message: Error...

Adding or Editting custom column hints break UI

Adding or Editting custom column hints breaks UI if a tooltip is displayed while typing. To reproduce; go to Proxy History, click the meatball menu, click Add Custom Column. Type the following (it is important to type...