Burp Suite User Forum
Found 30 posts in 26 threads
the tests I did on abc.com on xyz.com, Is it possible in Burpsuite to just edit the url from abc to xyz
easily intercept the internet browsing( http & https both) but I am unable to intercept the application(xyz … ) traffic & can browse the application(xyz) easily when intercept is on. … I am getting an error saying FAIL TO CONNECT TO application(xyz)
P.S.: the application(xyz) is already
Here:
xyz' AND '1'='1
…xyz' AND '1'='2
I don't understand what those quotes ' ' are, in the
eg:
http://www.domain.com/abc/page1/Could+not+create+url+for+page+path:+/xyz
http://www.domain.com … url+for+page+path:+/pqr
http://www.domain.com/abc/123/dir1/page1/Could+not+create+url+for+page+path:+xyz … /subdir1
http://www.domain.com/abc/564/dir3/page1/Could+not+create+url+for+page+path:+dir2/page1/xyz
SQL statement we injecting below (Blind SQLi with conditional responses using the TrackingID)
...xyz
For example on this, ...xyz' AND '1'='1 I noted that there were no extra SQL that were being processed … in that query hence if tried ...xyz' AND '1'='1-- it will be 'executed' but then logically it will be … incorrect hence the structure of the query I am testing can be ...xyz' AND '1'='1' ending with a '
the blind sql injection labs . i got lost when i saw this query on the solution :
'''
TrackingId=xyz … i saw it again on the next lab which runs on postgresql :
'''
TrackingId=xyz'||pg_sleep(10)--
'''
web-security/sql-injection/blind), you can see that the material teaches the following command:
xyz … To solve the lab, it's used the following command:
xyz' AND (SELECT SUBSTRING(password,1,1) FROM users … web-security/sql-injection/blind/lab-conditional-errors), where the learning material shows this code:
xyz … > 'm') THEN 1/0 ELSE 'a' END FROM Users)='a
and the solution provided use this kind of code:
xyz
when trying to find the password, you can either use the suggestion from the solution:
TrackingId=xyz … create a slightly different SQL query based on the suggestion from the learning materials
TrackingId=xyz
So it is not true that these queries return true (the first one) or false (the second one):
xyz' UNION … SELECT 'a' WHERE 1=1--
xyz' UNION SELECT 'a' WHERE 1=2--
Both of them make the final query to return
Are you replacing the TrackingID cookie value item with "xyz' UNION SELECT 'a' WHERE 1=1--" or appending
The following are given as examples about how to test for truth:
TrackingId=xyz' AND (SELECT 'a' FROM … users LIMIT 1)='a
TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a … TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='
GET https://test.com/xyz
PUT https://test.com/xyz
Only one of them( the one that is intercepted
Example HTTP Request:
http://[victim]/XYZ
Example HTTP Response:
HTTP 301
Location: https:/ … /[victim]XYZ
As the / is missing from the document request, we control the domain name string.
I'm in first lab of Blindd SQL Injection and payload for test is:
TrackingId=xyz' AND '1'='1
Why
"TrackingId=xyz AND '1'='1" should return me 'Welcome back!' … , but "TrackingId=xyz AND '1'='2" should not return me nothing).
perform an automated scan with Burp Professional and when I run it, I get the message:
"We're sorry but XYZ
Hi Martii,
Just to clarify, where are you seeing the message "We're sorry but XYZ doesn't work properly
Hi All,
Need urgent help, We have a financial Application(xyz) and we are running burp suite for that
up logging a payload hit for xyz.oastify.com (and abc) in the UI, even though there is no request to xyz
user-agent that identifies the test I was running and the tool I was using .... like: 'ffuf parameter xyz
TrackingId=xyz'||(SELECT '' FROM dual)||'
I am confuse with concatenation symbol "||" ,why need to
X-SSL-VERIFIED: 1\r\n
X-SSL-CLIENT-CN: administrator\r\n
X-FRONTEND-KEY: 4915524682751556\r\n
\r\n
Value
xyz
illegal reflective access operation has occurred
WARNING: Illegal reflective access by burp.fp4 (file:/xyz
In the macro editor the host column was XYZ and the host in the Raw request I had changed it to ABC ( … Going back to the Cookie JAR I had session cookie from host ABC and XYZ.
product={name}&version={currentversion}&license={xyz}"
[2] https://github.com/pajswigger/update-burp
burpsuite_community_linux_v2023_11_1_3.sh.11504.dir/jre/bin/java: Exec format error
uname -a:
Linux XYZ
orange-logo.jpg"
Content-Type: image/jpeg
ÿØÿà�JFIF��H�H��ÿâICC_PROFILE���lcms��mntrRGB XYZ
Instead I pick the payloads I want to scan > right click > “scan defined insertion points” > “add to task xyz
Suggest how to overcome this
Jenkins Console:
Started by user XYZ
Building remotely on UFT_EntAutomation_N1