Burp Suite User Forum

Login to post

Burp 2023.1.2 ignoring intruder payload positions set (or choosing its own?)

Here is the intruder position i have set for port academy lab: GET /filter?category=Gifts HTTP/1.1 Host: 0a7b002803336d41c08ad10900000088.web-security-academy.net Cookie:...

Last updated: Feb 27, 2023 09:55AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Dominvader removes CSP even if the plugin is turned off

Hi Portswigger Team, I have a weird behavior in Burp Suite Pro v2023.1.2 Build 18945. When I am using the integrated chromium the dominvader plugin removes the CSP even though dominvader itself and prototype pollution is...

Last updated: Feb 27, 2023 09:47AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Can't solve web cache poisoning with an unkeyed header

It appears that there is no simulated user to view the poisoned JS file and get an alert() no matter how often the cache is poisoned. This means it doesn't seem possible to solve this. Is the simulated user visiting the...

Last updated: Feb 27, 2023 09:36AM UTC | 3 Agent replies | 4 Community replies | Bug Reports

Strange "correct" solution in PHP Deserialization vuln exercise

Hi, I'm refering to a challenge at https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php. It's strange because the payload I thought should work didn't? (or...

Last updated: Feb 24, 2023 03:16PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

IT DOESN'T WORK - Lab: Username enumeration via account lock

I have tried replicating the attack multiple times in multiple modes, looking at both solutions and other walktroughs found on the net, but it does not work. I take the POST, send it to the intruder, in position I put...

Last updated: Feb 24, 2023 01:27PM UTC | 2 Agent replies | 2 Community replies | Bug Reports

Lab: OAuth account hijacking via redirect_uri

The username and password detailed in the lab description wiener:peter don't seem to work for this lab. I tried many times using the password specified but I still get "Invalid username/email or password." Is this a...

Last updated: Feb 24, 2023 01:19PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

The "CORS vulnerability with basic origin reflection" lab seems broken

Hello! Is the "CORS vulnerability with basic origin reflection" lab currently working? I have tried many variations of the solution and none of them successfully complete the lab

Last updated: Feb 23, 2023 09:05AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

BurpSuite Professional v2023.1.2 unable to connect to https://www.google.com

Just freshly installed Burp Suite Professional version 2023.1.2 Launched built-in web browser from Proxy -> Open browser. Tried to connect to https://www.google.com and received No response received from remote server....

Last updated: Feb 23, 2023 08:41AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

External links in description fields of API definition

I am trying to scan an API with Burp Suite Enterprise and I'm getting an error: "Skipping API definition. The data in the definition file is malformed and cannot be read by Burp Scanner. Cause Burp Scanner needs to be...

Last updated: Feb 22, 2023 02:07PM UTC | 2 Agent replies | 2 Community replies | Bug Reports

DOM XSS Flagged - Burp Enterprise

Hi, I have had a few instances of DOM XSS flagged but I'm thinking its a FP: function gBU() { var protocol = window.location.protocol; var port = window.location.port; var host =...

Last updated: Feb 22, 2023 02:02PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Consistent Burp hangs when 'requesting items again' during the intruder scan.

Burp Pro v2023.1.2 (and previous versions) installed on Mac (not a standalone JAR) keeps hanging and has to be forcefully closed, if the user chooses to 'request items again' for the intruder scan which is still running.

Last updated: Feb 22, 2023 10:12AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Labs not loading

I click the "Access the lab" button on https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data and the resulting page (https://0a83005204743cb7c065138600cf008d.web-security-academy.net/) does not load the...

Last updated: Feb 21, 2023 01:44PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Not able to complete - https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages

Hello, I get the below error. "XML parser exited with error: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 108; Premature end of file." Here are my payloads. Exploit server: <!ENTITY % file SYSTEM...

Last updated: Feb 20, 2023 09:45AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

No more activations allowed for this license

I get this for when I try to move my Burp installation to a new computer at work. Can you please add some more for me. This message is really weird, as you're licensing terms seems to be "yeah, it's a per user license, and...

Last updated: Feb 20, 2023 08:55AM UTC | 2 Agent replies | 3 Community replies | Bug Reports

ArrayIndexOutOfBoundsException

Burp starts to randomly fail, Proxy Interception will always display an old request that was long processed and that won't go away, even if I turn interception off, send a couple of requests and turn it on again. Burp is...

Last updated: Feb 20, 2023 07:06AM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Burp is capitalizing the Headers, which breaks some implementations

I realized that when proxying though burp the headers are forwarded capitalized. Ex.: The OPTIONS request returns "Access-Control-Allow-Headers: x-accesstoken" The request in the browser contains the token in...

Last updated: Feb 17, 2023 02:24PM UTC | 3 Agent replies | 1 Community replies | Bug Reports

Ctrl + A-Z doesn't work in Proxy and Repeater

Hi! I've got an issue when hotkeys like copy/paste don't work in some tabs (like Proxy, Repeater and Settings) but work in other tabs (like Decoder). There are similar topics on the forum, but the only root cause I saw...

Last updated: Feb 16, 2023 11:42AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Can't read Burp File

Hi, Since yesterday, I have been unable to view all the request/response data in the Proxy > HTTP History section of BurpSuite Pro. Whenever I try to filter the data, I receive the following exception (as logged in the...

Last updated: Feb 16, 2023 11:25AM UTC | 2 Agent replies | 3 Community replies | Bug Reports

Collaborator Everywhere and Log4Shell Everywhere Nonfunctional in 2023.1.2 Professional

Hi, Since upgrading to Burp Suite 2023.1.2, myself and colleagues have experienced issues with the function of the Burp extensions Collaborator Everywhere and Log4Shell Everywhere. When installed and loaded, both...

Last updated: Feb 15, 2023 09:07PM UTC | 0 Agent replies | 1 Community replies | Bug Reports

Burp Suite Enterprise Edition does not see/use all present RAM on the server, does not provide AUTH scan.

At the moment we are evaluating the BSEE solution and faced an issue with using recorded login sequences. The application sends an error "The scan is configured to use recorded login sequences. This requires browser-powered...

Last updated: Feb 15, 2023 04:55PM UTC | 1 Agent replies | 2 Community replies | Bug Reports

Page 4 of 121

Burp Suite Support Center

Your source for help and advice on all things Burp-related.

Burp Suite Support Center image