How do I? - Page 6 - Burp Suite User Forum

Some BUG in Intruder "Scan defined Insertion points"

Burp Pro 2021.4.2 When I select in top menu Intruder -> Scan defined insertion points -> Add to task, Burp do scanning NOT ONLY insertion points selected by § symbol, but do scan in other usual points: headers, POST...

Activation failed for my Burp Pro which was working a month back

I had a Burp Pro installed on a server which was working fine a month back. Today, it again prompted for activation but it failed. What should I do?

Academy progress reset

Hi, can I reset my lab and learning material progress in the academy? Thank you very much.

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack

I can't complete the lab. After I "Deliver the exploit" to victim, I get nothing in the Collaborator. No response at all. I follow everything it says in the solution, I tried several videos with people doing it, but nothing...

I re-installed Burp Pro and Activation Failed

I tried to install burp pro on my new machine and it failed to activate the key. Help me on activating it.

Lab1: Blind SQL injection with conditional errors

Hi, I was doing the blind sql lab using the cookies but when i intercept the link on my burp suite community edition, i can't locate the Tracking Id. What would be the problem because all its like my burp isn't getting the...

Lab: Routing-based SSRF - Published solution generates 403

When I have an entry in the Host: header other than the lab host, I receive a 403 error (every time) The published solution says to put collaborator hosts in there; and then to use 192.168.0.x... But both those scenarios...

400 bad request no ssl sent in postman response

Hello, I am using postman and want to integrate it with burpsuite. I have turned off ssl certificate in general settings in postman. I am getting the response when custom proxy is turned off, however I am getting error when...

Lab: Reflected XSS in a JavaScript URL with some characters blocked

why do we need '} and {x:' in this payload - &'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:' ?

No more activations allowed for this license. - after update

Occasionally, I used one license for several Burp versions (on one computer). Now I am receiving a "No more activations allowed for this license." I need your help My order number is FB86651C4E Thanks

HTTP request

POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type:...

Academy: CSRF token is simply duplicated in a cookie

Hello. I've been struggling to resolve a few CSRF challenges, as for example "CSRF token is simply duplicated in a cookie" I think I understand the vulnerability and how to exploit it, I followed carefully all steps on...

Proxy curl request through Burpsuite

Hi, I'm trying to proxy an API call with configured certificate and keyfile though Burpsuite. My original (working) curl command: curl v --key my-key.pem --cert my-cert.crt -H 'Host: my.api.host'...

Web pages don't load through proxy, is this normal?

My problem is something I expected to be rather common, but apparently not. I have set up Burp Suite with Firefox and have used all the correct settings, and it is connecting to the proxy on 127.0.0.1:8080. The Burp Suite...

Lab: Broken brute-force protection, multiple credentials per request CSRF Token issue

When trying to do this lab whenever I send any credentials I get the following error. "Invalid CSRF token (session does not contain a CSRF token)" Even when I just send one credential as a test to see the format. Is...

Burp Intruder Payloads into Makro

Hello There, I am currently working on this lab: 2FA bypass using a brute-force attack. I think i have the solution but the problem is i can't get it running. The main problem is that i can't figure out how to pass a...

Cluster bomb attack

Hi, I am new to Burp and I am testing the cluster bomb attack. When using the intercept to send an authentication request with username and password to an IAM solution, I get a response with code 200. I send this request...

I can't open any portswigger lab using burp suite browser

Whenever I try accessing any lab using burp suite built-in broswer it loads for a while and, then, says: "Can't access the website". What might be the problem? What should I do?

scan configuration

I have some question about 4 modes of scan configuration: Lightweight, Fast, Balanced, Deep: - How are those 4 modes different (except for the time issue)? Example: Deep used XSS, but the other 3 modes do not,.... - How...

Lab: Username enumeration via account lock

Hi, I am not getting the required response, which contains the phrase - "You have made too many incorrect login attempts." Out of a possible 505 requests, not one has a different length and all of them have 200...