Bug Reports - Page 9 - Burp Suite User Forum

"Basic clickjacking with CSRF token protection" lab error

When i try embed the iframe of the page with the delete account button my session is not included in the iframe. Instead of showing the myaccount page it shows the login page.

Unable to start embedded browser on Burpsuite JAR executable

I am running Burpsuite community edition latest version (v2024.6.6) on Ubuntu 22.04 and when i try to open the browser from proxy tab it doesn't open without showing any errors in terminal and in GUI it simply says "Burp...

Repeater - WebSocket Message - Copy to file/Paste from file isn't working

Hello, The Copy to file/Paste from file options in the Burp Suite Repeater tab is not functioning as expected when sending a WebSocket request.

Labs not loading/ taking forever to load

I am currently trying to access the 2fa-bypass-using-a-brute-force-attack lab and it takes forever to load the webpage. 99% of the time the connection times out. I have tried chrome, firefox, edge, and a different computer....

BSCP exam

Hello! Please advise in following: I had an exam on your platform, May 29th, 2023, and failed it. Considering that the first lab was resolved in 30 minute, but the next one took me more than 3,5 hours without any...

Issue with burp suite browser

noticing an issue with the chromium browser opened by burp suite, essentially run into multiple sites with the same error, an unknown error has occurred. Request is still getting logged, with no response GET /...

Reflected XSS labs

the following labs don't trigger a "lab solved" when using the intended solutions: Reflected XSS with AngularJS sandbox escape and CSP Reflected XSS protected by very strict CSP, with dangling markup attack

Lab: Stored DOM XSS

The goal is to trigger a stored XSS via alert(). My alert() works, but the lab is not solved (I got the lab via Mystic Lab). I also tried it with the solution payload in case the lab can really only be solved with an...

Repeater - never get as response

I am just starting and going thru the tutorial I was able to intercept and modify a request and get responses. but when I select from HTTP history as the tutorial says, and send to repeater, when I click send on repeater...

CORS Origin null Lab not working in Firefox and Chromium anymore

Hi there, Context: https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack Issue: Exploit does not trigger, when viewing the exploit on Firefox or Chromium. Still works on Google Chrome (unless you...

can't set intruder resource pool

java 21 ,when I use the intruder ,set the resource pool,it tells me "Resource pool - Invalid concurrent requests - min 1 max 999",no matter what number the Maximum concurrent requests is set。is this a bug ，or something wrong...

CORS vulnerability with trusted null origin sends site to victim but victim does not visit site

Lab: Web shell upload via path traversal | Correct answer is wrong?

Request: GET /files/cmd.php?cmd=cat+/home/carlos/secret HTTP/2 Host: 0a9600c004a6188d80a8bdb500860051.web-security-academy.net Cookie: session=MS2htmTGD9xkK2AK907aZFLSnR7mdeBV User-Agent: Mozilla/5.0 (Macintosh; Intel...

Exploiting path mapping for web cache deception

I've got a "X-Cache: miss" everytime I send my request within the 30 s...

504 Gateway Time-out The server didn't respond in time.

Hello, This issue keeps repeating on every lab I'm trying. I keep retrying until the lab loads, which could sometimes work after the 5-10 tries, and sometimes I can try over 50 times, when the page suddenly loads and works...

Possible bug in an exam app

I have done the exam and for one of the apps burpsuite did not find anything. From what I saw in the app it seemed that at least the first stage was through web cache. Could someone confirm if the app was wrong?...

[MontoyaAPI][EditorOptions] Not Working

It appears there may be a bug in the Montoya API. I am using version net.portswigger.burp.extensions:montoya-api:2024.7, and I've encountered an issue where the WRAP_LINES and SHOW_NON_PRINTABLE_CHARACTERS options are not...

IT DOESN'T WORK - Lab: Username enumeration via account lock

I have tried replicating the attack multiple times in multiple modes, looking at both solutions and other walktroughs found on the net, but it does not work. I take the POST, send it to the intruder, in position I put...

Issues Encountered During Stage 1 of My BSCP Exam App 1

Dear PortSwigger Team, I hope this message finds you well. I managed to solve the App 2 without any difficulties and within the first hour but I encountered some technical issues during Stage 1 App 1 of my exam. To my...

Burp Suite not adding custom header

Hi. I'm trying to add a custom header to all requests. There is an option in the 'Session Handling Rule Editor' that does that, or at least it seems that way. The option is 'Set a specific header value' and it has a...