Burp Suite User Forum
For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.
Found 50 posts in 26 threads
the tests I did on abc.com on xyz.com, Is it possible in Burpsuite to just edit the url from abc to xyz
easily intercept the internet browsing( http & https both) but I am unable to intercept the application(xyz … ) traffic & can browse the application(xyz) easily when intercept is on. … I am getting an error saying FAIL TO CONNECT TO application(xyz)
P.S.: the application(xyz) is already
Here:
xyz' AND '1'='1
…xyz' AND '1'='2
I don't understand what those quotes ' ' are, in the
eg:
http://www.domain.com/abc/page1/Could+not+create+url+for+page+path:+/xyz
http://www.domain.com … url+for+page+path:+/pqr
http://www.domain.com/abc/123/dir1/page1/Could+not+create+url+for+page+path:+xyz … /subdir1
http://www.domain.com/abc/564/dir3/page1/Could+not+create+url+for+page+path:+dir2/page1/xyz
SQL statement we injecting below (Blind SQLi with conditional responses using the TrackingID)
...xyz
For example on this, ...xyz' AND '1'='1 I noted that there were no extra SQL that were being processed … in that query hence if tried ...xyz' AND '1'='1-- it will be 'executed' but then logically it will be … incorrect hence the structure of the query I am testing can be ...xyz' AND '1'='1' ending with a '
the blind sql injection labs . i got lost when i saw this query on the solution :
'''
TrackingId=xyz … i saw it again on the next lab which runs on postgresql :
'''
TrackingId=xyz'||pg_sleep(10)--
'''
web-security/sql-injection/blind), you can see that the material teaches the following command:
xyz … To solve the lab, it's used the following command:
xyz' AND (SELECT SUBSTRING(password,1,1) FROM users … web-security/sql-injection/blind/lab-conditional-errors), where the learning material shows this code:
xyz … > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a
and the solution provided use this kind of code:
xyz
when trying to find the password, you can either use the suggestion from the solution:
TrackingId=xyz … create a slightly different SQL query based on the suggestion from the learning materials
TrackingId=xyz
So it is not true that these queries return true (the first one) or false (the second one):
xyz' UNION … SELECT 'a' WHERE 1=1--
xyz' UNION SELECT 'a' WHERE 1=2--
Both of them make the final query to return
Are you replacing the TrackingID cookie value item with "xyz' UNION SELECT 'a' WHERE 1=1--" or appending
The following are given as examples about how to test for truth:
TrackingId=xyz' AND (SELECT 'a' FROM … users LIMIT 1)='a
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a … TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='
GET https://test.com/xyz
PUT https://test.com/xyz
Only one of them( the one that is intercepted
Example HTTP Request:
http://[victim]/XYZ
Example HTTP Response:
HTTP 301
Location: https:/ … /[victim]XYZ
As the / is missing from the document request, we control the domain name string.
I'm in first lab of Blindd SQL Injection and payload for test is:
TrackingId=xyz' AND '1'='1
Why
"TrackingId=xyz AND '1'='1" should return me 'Welcome back!' … , but "TrackingId=xyz AND '1'='2" should not return me nothing).
perform an automated scan with Burp Professional and when I run it, I get the message:
"We're sorry but XYZ
Hi Martii,
Just to clarify, where are you seeing the message "We're sorry but XYZ doesn't work properly
Hi All,
Need urgent help, We have a financial Application(xyz) and we are running burp suite for that
up logging a payload hit for xyz.oastify.com (and abc) in the UI, even though there is no request to xyz
user-agent that identifies the test I was running and the tool I was using .... like: 'ffuf parameter xyz
TrackingId=xyz'||(SELECT '' FROM dual)||'
I am confuse with concatenation symbol "||" ,why need to
X-SSL-VERIFIED: 1\r\n
X-SSL-CLIENT-CN: administrator\r\n
X-FRONTEND-KEY: 4915524682751556\r\n
\r\n
Value
xyz
illegal reflective access operation has occurred
WARNING: Illegal reflective access by burp.fp4 (file:/xyz
In the macro editor the host column was XYZ and the host in the Raw request I had changed it to ABC ( … Going back to the Cookie JAR I had session cookie from host ABC and XYZ.
product={name}&version={currentversion}&license={xyz}"
[2] https://github.com/pajswigger/update-burp
burpsuite_community_linux_v2023_11_1_3.sh.11504.dir/jre/bin/java: Exec format error
uname -a:
Linux XYZ
orange-logo.jpg"
Content-Type: image/jpeg
ÿØÿà�JFIF��H�H��ÿâICC_PROFILE���lcms��mntrRGB XYZ
Instead I pick the payloads I want to scan > right click > “scan defined insertion points” > “add to task xyz
Suggest how to overcome this
Jenkins Console:
Started by user XYZ
Building remotely on UFT_EntAutomation_N1