Bug Reports - Page 8 - Burp Suite User Forum

Lab: Stealing OAuth access tokens via an open redirect

In this lab, there seems to be a problem with the victim accessing the link. No matter what payload is being sent, the logs don't show the victims's IP address, showing they never accessed it, so the lab can't be finished.

504 Gateway Timeout

Hello, I am using Burp Suite Professional and when completing the labs it randomly gives me an 504 Gateway Timeout. I have to close the lab completely and load it again, which consumes time because it does it quite a lot. Is...

HTTP Match And Replace Rules Bug

Hello, I am using Burp Suite Professional version 2024.7.4-31588. In this version, I am adding a custom header using the "Match and Replace" section under the proxy settings. For example, if the header I add is "TEST,"...

ClickJacking labs remain as not solved

Hi PortSwigger Team, Even after completing more times "Basic clickjacking with CSRF token protection" and "Clickjacking with form input data prefilled from a URL parameter" labs, they are showing as not solved. I just...

"Basic clickjacking with CSRF token protection" lab error

When i try embed the iframe of the page with the delete account button my session is not included in the iframe. Instead of showing the myaccount page it shows the login page.

Unable to start embedded browser on Burpsuite JAR executable

I am running Burpsuite community edition latest version (v2024.6.6) on Ubuntu 22.04 and when i try to open the browser from proxy tab it doesn't open without showing any errors in terminal and in GUI it simply says "Burp...

Repeater - WebSocket Message - Copy to file/Paste from file isn't working

Hello, The Copy to file/Paste from file options in the Burp Suite Repeater tab is not functioning as expected when sending a WebSocket request.

Labs not loading/ taking forever to load

I am currently trying to access the 2fa-bypass-using-a-brute-force-attack lab and it takes forever to load the webpage. 99% of the time the connection times out. I have tried chrome, firefox, edge, and a different computer....

BSCP exam

Hello! Please advise in following: I had an exam on your platform, May 29th, 2023, and failed it. Considering that the first lab was resolved in 30 minute, but the next one took me more than 3,5 hours without any...

Issue with burp suite browser

noticing an issue with the chromium browser opened by burp suite, essentially run into multiple sites with the same error, an unknown error has occurred. Request is still getting logged, with no response GET /...

Reflected XSS labs

the following labs don't trigger a "lab solved" when using the intended solutions: Reflected XSS with AngularJS sandbox escape and CSP Reflected XSS protected by very strict CSP, with dangling markup attack

Lab: Stored DOM XSS

The goal is to trigger a stored XSS via alert(). My alert() works, but the lab is not solved (I got the lab via Mystic Lab). I also tried it with the solution payload in case the lab can really only be solved with an...

Repeater - never get as response

I am just starting and going thru the tutorial I was able to intercept and modify a request and get responses. but when I select from HTTP history as the tutorial says, and send to repeater, when I click send on repeater...

CORS Origin null Lab not working in Firefox and Chromium anymore

Hi there, Context: https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack Issue: Exploit does not trigger, when viewing the exploit on Firefox or Chromium. Still works on Google Chrome (unless you...

can't set intruder resource pool

java 21 ,when I use the intruder ,set the resource pool,it tells me "Resource pool - Invalid concurrent requests - min 1 max 999",no matter what number the Maximum concurrent requests is set。is this a bug ，or something wrong...

CORS vulnerability with trusted null origin sends site to victim but victim does not visit site

Lab: Web shell upload via path traversal | Correct answer is wrong?

Request: GET /files/cmd.php?cmd=cat+/home/carlos/secret HTTP/2 Host: 0a9600c004a6188d80a8bdb500860051.web-security-academy.net Cookie: session=MS2htmTGD9xkK2AK907aZFLSnR7mdeBV User-Agent: Mozilla/5.0 (Macintosh; Intel...

Exploiting path mapping for web cache deception

I've got a "X-Cache: miss" everytime I send my request within the 30 s...

504 Gateway Time-out The server didn't respond in time.

Hello, This issue keeps repeating on every lab I'm trying. I keep retrying until the lab loads, which could sometimes work after the 5-10 tries, and sometimes I can try over 50 times, when the page suddenly loads and works...

Possible bug in an exam app

I have done the exam and for one of the apps burpsuite did not find anything. From what I saw in the app it seemed that at least the first stage was through web cache. Could someone confirm if the app was wrong?...