Bug Reports

Turbo Intruder: always updating Content-Length header

Hello, I have been trying to launch a HTTP Desync attack using Turbo Intruder. Here is my script: def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, ...

Burp suite consuming all memory and locking on scanners.

Hello, I acquired the burp pro and since then I leave it doing scanners in domains. However it is always consuming all the memory of the Burp and in the end it crashes without finishing the scanner.

Burpsuite starts up then disapears

On kali linux, when I open burp suite from the command line it opens and as soon as I click start burp suite disappears but is still running

Lab: "Web cache poisoning with an unkeyed header" cannot be completed.

I cannot get this lab [0] to work properly, even with the official solution. The instructions work perfectly fine for me, and the injected JS is executed in my browser. However, the "victim" never visits the site, so the lab...

Burp Suite 2 and RSyntaxTextArea library

Hi, one of my plugin, Brida, uses RSyntaxTextArea library for syntax highlighting. Burp Suite 2 seems to use the same library but unfortunately due to a bug (see https://github.com/bobbylight/RSyntaxTextArea/issues/269 )...

Burp scanner using websocket doesn't work with proxy

By using BURP suit on my application , Burp blocks Web socket requests during proxy I configured local proxy on my browser and on Burp application Then tried login my application and starting capture –Web socket request...

Burp Suite Chrome Cert Error: Error net::ERR_CERT_REVOKED

Hi, I'm running: Linux Mint 19.1 Chrome Version 73.0.3683.86 Burp Suite Pro v2.0.18 Beta And I'm getting a bunch of net::ERR_CERT_REVOKED when I use the Burp Suite proxy in Chrome. Cert is working perfectly in...

Backup file false positives

I am getting many, many instances of the "Backup file" issue type. The issue is that the scanner makes a request that is a variant of a legitimate request, for example instead of GET /users/sign_in.json, it will call GET...

run-detectors: unable to find an interpreter for /usr/bin/burpsuite

When I try to start burpsuite community edition this error appears. I tried reinstall java multiple times (multiple versions) but it still doesn't work. Before today everything worked fine... Help would be appreciated

install macOS Catalina

Getting he following error when opening the installer on macOS Catalina “Burp Suite Professional Installer.app” can’t be opened because Apple cannot check it for malicious software. This software needs to be updated....

About out-of-band resource load(HTTP)

Burp Scanner scans may detect "out-of-band resource load (HTTP)". In some cases, a modified Host header or GET request URI parameter may be detected to the Burp collaborator host name, but this is a natural behavior, not an...

Burp Enterprise vs Burp pro

Hello, We've noticed differences in testing results between Burp Enterprise and Burp Professional. May you share any documentation or reasons for the differences? Does Burp pro use a newer engine than Burp Enterprise?...

Lab: Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria

The solution for this lab has an incorrect reference to a .com site instead of the .net site. 11. In Burp Repeater, add the following header, remembering to enter your own exploit server ID: X-Forwarded-Host:...

Decoding doesn't work in read-only fields

In Burp v2020.1 you cannot convert (e.g. base64-decode) smth in the Proxy history (which is read only). When you selected the desired text and type Ctrl+Shift+B, the selection becomes slightly shorter (as if it was...

"Intruder / Scan defined insertion points" doesn't work?

Latest version of Burp Pro - after adding/changing insertion points to a request in Intruder and selecting "Intruder / Scan defined insertion points" doesn't seem to work - it doesn't open the scan launcher nor can I add it...

Render broken in latest version - 2.0.22

Hello, in the latest version 2.0.22 the 'render' function is broken. Not only it opens in an external window now, which is unacceptable, but it displays only a blank page, always. It was working FINE in the previous...

Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft [Broken]

I'm pretty experienced with SQL injection. I've been doing this lab and I even copied and pasted the answer from the solution section into the proper category and it still is returning a database error. The lab is broken...

Error importing custom CA

I have a custom CA that I've created using an existing rootCA in order to have all my devices already trusting burp. The commands used for that were: openssl genrsa -out burp.key 4096 openssl req -x509 -new -nodes...

The exploit server for Lab: "Web cache poisoning with multiple headers" is a stuck

The exploit server for Lab: "Web cache poisoning with multiple headers" is a static website I think (https://acaf1f291e8c19678018001b014100dd.web-security-academy.net/). My lab is stuck because even after refreshing the...

Academy

Hi I tried out, the following piece on the third XSS lab: <lala onfocus="alert(document.cookie)" tabindex="1" id="x" autofocus>test</lala> or URL encoded,...