How do I? - Page 71 - Burp Suite User Forum

DOM Invader - Is this DOM XSS exploitable?

Issue: Cross-site scripting (DOM-based) Severity: High Confidence: Firm Burpsuite scan found a potential DOM based XSS. It's on my company's wordpress site using the fluentform plugins. When I inspect element and...

Some BUG in Intruder "Scan defined Insertion points"

Burp Pro 2021.4.2 When I select in top menu Intruder -> Scan defined insertion points -> Add to task, Burp do scanning NOT ONLY insertion points selected by § symbol, but do scan in other usual points: headers, POST...

Activation failed for my Burp Pro which was working a month back

I had a Burp Pro installed on a server which was working fine a month back. Today, it again prompted for activation but it failed. What should I do?

Academy progress reset

Hi, can I reset my lab and learning material progress in the academy? Thank you very much.

I re-installed Burp Pro and Activation Failed

I tried to install burp pro on my new machine and it failed to activate the key. Help me on activating it.

Lab1: Blind SQL injection with conditional errors

Hi, I was doing the blind sql lab using the cookies but when i intercept the link on my burp suite community edition, i can't locate the Tracking Id. What would be the problem because all its like my burp isn't getting the...

Lab: Routing-based SSRF - Published solution generates 403

When I have an entry in the Host: header other than the lab host, I receive a 403 error (every time) The published solution says to put collaborator hosts in there; and then to use 192.168.0.x... But both those scenarios...

400 bad request no ssl sent in postman response

Hello, I am using postman and want to integrate it with burpsuite. I have turned off ssl certificate in general settings in postman. I am getting the response when custom proxy is turned off, however I am getting error when...

Lab: Reflected XSS in a JavaScript URL with some characters blocked

why do we need '} and {x:' in this payload - &'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:' ?

No more activations allowed for this license. - after update

Occasionally, I used one license for several Burp versions (on one computer). Now I am receiving a "No more activations allowed for this license." I need your help My order number is FB86651C4E Thanks

HTTP request

POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type:...

Academy: CSRF token is simply duplicated in a cookie

Hello. I've been struggling to resolve a few CSRF challenges, as for example "CSRF token is simply duplicated in a cookie" I think I understand the vulnerability and how to exploit it, I followed carefully all steps on...

Proxy curl request through Burpsuite

Hi, I'm trying to proxy an API call with configured certificate and keyfile though Burpsuite. My original (working) curl command: curl v --key my-key.pem --cert my-cert.crt -H 'Host: my.api.host'...

Burp Intruder Payloads into Makro

Hello There, I am currently working on this lab: 2FA bypass using a brute-force attack. I think i have the solution but the problem is i can't get it running. The main problem is that i can't figure out how to pass a...

Cluster bomb attack

Hi, I am new to Burp and I am testing the cluster bomb attack. When using the intercept to send an authentication request with username and password to an IAM solution, I get a response with code 200. I send this request...

scan configuration

I have some question about 4 modes of scan configuration: Lightweight, Fast, Balanced, Deep: - How are those 4 modes different (except for the time issue)? Example: Deep used XSS, but the other 3 modes do not,.... - How...

Lab: Username enumeration via account lock

Hi, I am not getting the required response, which contains the phrase - "You have made too many incorrect login attempts." Out of a possible 505 requests, not one has a different length and all of them have 200...

java update - license problem

Hello, I decided to update java on windows through the default java update program. After doing so, my burp instance started asking for the license (I can't enter my license again because there are no more activations...

Lab: SSRF via flawed request parsing

I've been at this one for over a day. I've followed the steps outlined in the solution and followed the steps in the community video but I keep getting the same error. I get to the admin panel and find the csrf token....

font in http message is hard to manipulate / read (overlap / unnecessarily space)

Hi All http messages overlap or are unnecessarily spaced, which makes reading quite complicated. When selecting the text, it moves (spacing before and after the cursor), which make it difficult to select. I'm currently...