Bug Reports - Page 55 - Burp Suite User Forum

Passing NTLM credentials not working

Hi, I am using the trial version BURP Pro 2021.9.1 and trying to test the vulnerability scanning. I am using the proxy and built in BURP browser to open up my web application. My web application uses Windows...

Lab Reflected XSS protected by CSP, with dangling markup attack

Hello there could you verify that the solution of this lab is still working ? https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-csp-with-dangling-markup-attack i tried both of thease...

Lab: Web cache poisoning via an unkeyed query string

The Origin header does not act as a catch buster . I submitted my malformed query string with Origin Header and it solved the lab i.e the Origin header is not keyed header.

Burp Collaborator Error

Initiating health check Server address resolution Success Server HTTP connection Warning Server HTTPS connection (trust enforced) Warning Server HTTPS connection (trust not enforced) Error Server SMTP connection on...

Unable to get 302 Response

Currently attempting the "Lab: Response queue poisoning via H2.TE request smuggling" lab. Unable to advance as I am not able to get a 302 response containing the admin's new post-login session cookie even after sending out...

CA certificate not found

I am trying to install the burp CA but everytime I go to http://burpsuite/ I get a "server not found" error. I tried running burpsuite through the terminal and even configured my proxy settings to match burpsuite's proxies,...

this error occurs when I enter a proxy - Open Browser

net.portswigger.devtools.client.a4: Unable to start browser: DevTools listening on ws://127.0.0.1:3520/devtools/browser/....

Lab seems doesn't work

https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf Keep getting (Server Error: Gateway Timeout (3) connecting to 192.168.0.0)in intruder. Even if I follow step by step youtube...

"Lab: Modifying serialized data types", is having unintented solution

I tried to access the admin panel by changing only the username to 'administrator' and its character string value to 13. It throws an error with 3 'access_token'. One of those 'access_token' is the administrator's...

HTTPS websites problem

Hi, i run Burp Suite Professional on Win10, version 2021.12.1. Installed as documentations says, but i have problem with https. http works fine, CA installed. If i try website with https it is not show in embedded...

report does not include the correct request and response

Hi we ran an audit scan and detected a stored xss issue. for that path "/" there were many requests , one of them was able to perform stored xss. the report and also in the issues screen shows only the basic request GET...

Solved labs in the Academy are not shown as solved.

Hello, I solved the levels listed below but it is not noted outside the lab (e.g. "Track my progress"). However, when I access the labs I receive the message "Congratulations, you solved the lab!". Lab: Reflected XSS...

LAB Authentication bypass via OAuth implicit flow

I am trying to access lab "Authentication bypass via OAuth implicit flow" but when i go to https://acc41f931f795360c0081ada005a0002.web-security-academy.net/ and click on my account to login its giving me error after We are...

I got this issue after scanning my website. How do i resolve this issue can you explain me please?

There are 3 instances of this issue: / /casa /casa Issue background External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail...

Bug in Lab - Reflected XSS with some SVG markup allowed

Hi, first I want to thank you for these awesome labs! They really rock! Unfortunately I think something is wrong with this challenge:Reflected XSS with some SVG markup allowed. I am able to trigger an alert box, but it...

Application response 500 when burp collaborator is active

Hi, i'm having troubles testing a web application. If i use burp collaborator (default or private) the application respond with a 500 error. As soon i set "Don't use Burp Collaborator" in "Project Options -> Misc" the proxy...

Bundled JRE (16.0.2) is not fully compatible with macOS Monterey

Bundled JRE (16.0.2) has a minor font bug that may affect Burp Suite's interface. macOS Monterey does not have the font"Times". Here's the command to reproduce the problem (using Burp Suite Community 2012.12.1 for...

Information exposure in the "interaction" endpoint of the oauth servers

"OAuth authentication" labs. Making a request to the OAuth server like that: https://oauth-endpoint/interaction/$$$" where '$$$' can be anything. That yields: SessionNotFound: invalid_request at *** (***) at...

Lab: "Web cache poisoning with multiple headers" doesn't work

hi! in repeater keep getting "Timeout in transmission from.." error when adding X-Forwarded- headers, even if I follow step by step instructions still getting same result (no response from the server). would you mind...

Possible bug in "Broken brute-force protection, multiple credentials per request" lab

Hello Portswigger team, It seems like there's a bug in the lab located at https://portswigger.net/web-security/authentication/password-based/lab-broken-brute-force-protection-multiple-credentials-per-request The lab has...