Bug Reports - Page 4 - Burp Suite User Forum

Burp 2023.1.2 ignoring intruder payload positions set (or choosing its own?)

Here is the intruder position i have set for port academy lab: GET /filter?category=Gifts HTTP/1.1 Host: 0a7b002803336d41c08ad10900000088.web-security-academy.net Cookie:...

Dominvader removes CSP even if the plugin is turned off

Hi Portswigger Team, I have a weird behavior in Burp Suite Pro v2023.1.2 Build 18945. When I am using the integrated chromium the dominvader plugin removes the CSP even though dominvader itself and prototype pollution is...

Can't solve web cache poisoning with an unkeyed header

It appears that there is no simulated user to view the poisoned JS file and get an alert() no matter how often the cache is poisoned. This means it doesn't seem possible to solve this. Is the simulated user visiting the...

Strange "correct" solution in PHP Deserialization vuln exercise

Hi, I'm refering to a challenge at https://portswigger.net/web-security/deserialization/exploiting/lab-deserialization-arbitrary-object-injection-in-php. It's strange because the payload I thought should work didn't? (or...

IT DOESN'T WORK - Lab: Username enumeration via account lock

I have tried replicating the attack multiple times in multiple modes, looking at both solutions and other walktroughs found on the net, but it does not work. I take the POST, send it to the intruder, in position I put...

Lab: OAuth account hijacking via redirect_uri

The username and password detailed in the lab description wiener:peter don't seem to work for this lab. I tried many times using the password specified but I still get "Invalid username/email or password." Is this a...

The "CORS vulnerability with basic origin reflection" lab seems broken

Hello! Is the "CORS vulnerability with basic origin reflection" lab currently working? I have tried many variations of the solution and none of them successfully complete the lab

BurpSuite Professional v2023.1.2 unable to connect to https://www.google.com

Just freshly installed Burp Suite Professional version 2023.1.2 Launched built-in web browser from Proxy -> Open browser. Tried to connect to https://www.google.com and received No response received from remote server....

External links in description fields of API definition

I am trying to scan an API with Burp Suite Enterprise and I'm getting an error: "Skipping API definition. The data in the definition file is malformed and cannot be read by Burp Scanner. Cause Burp Scanner needs to be...

DOM XSS Flagged - Burp Enterprise

Hi, I have had a few instances of DOM XSS flagged but I'm thinking its a FP: function gBU() { var protocol = window.location.protocol; var port = window.location.port; var host =...

Consistent Burp hangs when 'requesting items again' during the intruder scan.

Burp Pro v2023.1.2 (and previous versions) installed on Mac (not a standalone JAR) keeps hanging and has to be forcefully closed, if the user chooses to 'request items again' for the intruder scan which is still running.

Labs not loading

I click the "Access the lab" button on https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data and the resulting page (https://0a83005204743cb7c065138600cf008d.web-security-academy.net/) does not load the...

Not able to complete - https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages

Hello, I get the below error. "XML parser exited with error: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 108; Premature end of file." Here are my payloads. Exploit server: <!ENTITY % file SYSTEM...

No more activations allowed for this license

I get this for when I try to move my Burp installation to a new computer at work. Can you please add some more for me. This message is really weird, as you're licensing terms seems to be "yeah, it's a per user license, and...

ArrayIndexOutOfBoundsException

Burp starts to randomly fail, Proxy Interception will always display an old request that was long processed and that won't go away, even if I turn interception off, send a couple of requests and turn it on again. Burp is...

Burp is capitalizing the Headers, which breaks some implementations

I realized that when proxying though burp the headers are forwarded capitalized. Ex.: The OPTIONS request returns "Access-Control-Allow-Headers: x-accesstoken" The request in the browser contains the token in...

Ctrl + A-Z doesn't work in Proxy and Repeater

Hi! I've got an issue when hotkeys like copy/paste don't work in some tabs (like Proxy, Repeater and Settings) but work in other tabs (like Decoder). There are similar topics on the forum, but the only root cause I saw...

Can't read Burp File

Hi, Since yesterday, I have been unable to view all the request/response data in the Proxy > HTTP History section of BurpSuite Pro. Whenever I try to filter the data, I receive the following exception (as logged in the...

Collaborator Everywhere and Log4Shell Everywhere Nonfunctional in 2023.1.2 Professional

Hi, Since upgrading to Burp Suite 2023.1.2, myself and colleagues have experienced issues with the function of the Burp extensions Collaborator Everywhere and Log4Shell Everywhere. When installed and loaded, both...

Burp Suite Enterprise Edition does not see/use all present RAM on the server, does not provide AUTH scan.

At the moment we are evaluating the BSEE solution and faced an issue with using recorded login sequences. The application sends an error "The scan is configured to use recorded login sequences. This requires browser-powered...