Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Found 250 posts in 157 threads

Burp certification - unable to validate 7/7 specific labs, stuck at 6/7

- 23/23 lab of each subject - 5/5 mystery labs - 1/1 practice exam However, I'm stuck with 6/7 I've done 3 times each of these specific labs, I'm still stuck at 6/7.

Last updated: Sep 22, 2022 08:56AM UTC | 2 Agent replies | 0 Community replies | How do I?

Exploiting PHP deserialization with a pre-built gadget chain - getting error

Symfony Version: 4.3.6 PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Thanks

Last updated: Jun 05, 2021 09:01AM UTC | 1 Agent replies | 2 Community replies | How do I?

Windows 7

What is the latest version of Burp Suite Pro Comaptible with Windows 7 SP1?

Hi, The latest version of Burp Professional (2020.12) should be compatible with Windows 7 SP1 as long

Last updated: Jun 01, 2023 07:55PM UTC | 1 Agent replies | 1 Community replies | Feature Requests

Lab: Modifying serialized data types - Debug dumps tokens

p9a5ei0x99qi74vejsq36czp0tn1z3d6, xlbjcoe8ecul6sfmtdrt5cm8qqr6o7hx]) Invalid access token for user carlos in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7

Last updated: Aug 20, 2021 02:26PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

PHP deserialization: Signature does not match

receiving this error: PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 My secret key: f99oqo0667s8noe1clqktoa99mnzvuq2

Last updated: Sep 05, 2023 06:14AM UTC | 1 Agent replies | 1 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to capture other users' requests-- not solving

HTTP/1.1 Host: ac4f1f451ed62abd80777fe600120062.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 277 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: session=iHYDUuNmTs9b7ShaCEmRBOelvPziCAjp csrf=uWmPlPe18wP9v3eDxqZ9LX5xhe6nez67&postId=7&

Last updated: May 04, 2021 08:08AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: Modifying serialized data types

PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7" What is it that i'm doing wrong?

Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7" The /admin/delete?

PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Can anyone help me?

PHP Fatal error: Uncaught Exception: Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Can anyone help me?

74%39 Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 ??

this error: Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 Then, what I did is:

Modifying serialized objects" PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 echo "O:4:"User":2

Last updated: Jul 19, 2023 11:43AM UTC | 8 Agent replies | 15 Community replies | How do I?

Request Smuggling - Lab does not work

0a5900b7040dfb4fc1db8f1c005d0093.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded 999 Cookie: session=16gRRn6OyG4I9nMQgFEQ1IzbXd7CNPE8 csrf=3fpHaW38HOFKvaNEitgqJWqjvADUgNAM&postId=7&

HTTP/1.1 Host: 0ac800a704bbd7328148caab006b0005.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 24, 2023 06:51AM UTC | 4 Agent replies | 4 Community replies | How do I?

OpenJDK 7 Multiple Vulnerabilities

The version of OpenJDK installed on the remote host is prior to 7 <= 7u351 / 8 <= 8u342 / 11.0.0 <= 11.0.16

Last updated: Dec 16, 2022 01:27PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

1.7.17

Windows 7, full exe install

Last updated: Feb 03, 2017 04:45PM UTC | 2 Agent replies | 3 Community replies | Bug Reports

varfile for unattended installs

That should read RHEL 7

Last updated: Mar 18, 2020 09:21AM UTC | 3 Agent replies | 3 Community replies | How do I?

Cant intercept request in Android 7

So I've installed cert in system root device. i can see PortSwigger in System Trusted credentials. I've set proxy in burp suite with port 8080 and bind to address all interfaces. I've set proxy in my emulator with ip address...

Last updated: Jan 18, 2022 02:20PM UTC | 2 Agent replies | 1 Community replies | How do I?

Burp crashes, asking for license key on relaunch

x64 Windows 7.

Last updated: Jun 12, 2023 06:55AM UTC | 5 Agent replies | 15 Community replies | Bug Reports

Burp UI not working in CentOS 7

The AWS instance has CentOS 7 operating system.

Last updated: May 04, 2020 07:45AM UTC | 6 Agent replies | 4 Community replies | How do I?

HTTP Request Smuggling

responses" is given as "POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded server was given as "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded should be like this: "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 146 x=POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Feb 14, 2022 01:54PM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab Login Not Working

HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jul 10, 2020 08:07AM UTC | 3 Agent replies | 5 Community replies | How do I?

HTTP request smuggling, obfuscating the TE header

POST / HTTP/1.1 Host: my host.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Mar 05, 2021 03:32PM UTC | 1 Agent replies | 2 Community replies | How do I?

HTTP request smuggling, basic TE.CL vulnerability

i sent: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 20, 2020 01:02PM UTC | 1 Agent replies | 1 Community replies | How do I?

Lab: CSRF where token is tied to non-session cookie

Cookie: session=**************; csrfKey=************************* Content-Type: application/x-www-form-urlencoded session=*******************; csrfKey=<<"obtained CSRF cookie HERE">> Content-Type: application/x-www-form-urlencoded ****; csrfKey=*************************** Referer: https://LAB_ID.web-security-academy.net/ 7.

Last updated: Aug 01, 2024 07:16AM UTC | 6 Agent replies | 8 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

HTTP/1.1 Host: ac451f7f1e1dd31780a427f50095008e.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded

Last updated: Jan 30, 2020 10:00AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

Not possible to disable "Update Content-Length"

HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 105 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2022 02:11PM UTC | 3 Agent replies | 3 Community replies | Bug Reports

HTTP Request Smuggling

portwigger: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 14, 2022 06:44PM UTC | 1 Agent replies | 2 Community replies | How do I?

ca certificate

The URL is http://burp/ - there's no www.

Last updated: Jun 10, 2020 07:32AM UTC | 7 Agent replies | 9 Community replies | Bug Reports

LAB: Exploiting HTTP request smuggling to reveal front-end request rewriting

HTTP/1.1 Host: ac201fbc1fd627ddc0effe2300f200de.web-security-academy.net Content-Type: application/x-www-form-urlencoded username=carlos HTTP/1.1 X-ayZFvQ-Ip: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length

Last updated: Nov 29, 2021 08:07PM UTC | 1 Agent replies | 2 Community replies | How do I?

Incorrect path reported in target sitemap

are probably problematic too), for example '<link rel="stylesheet" href="あ/style.css" />': # mkdir www meta charset="utf-8"><link rel="stylesheet" href="あ/style.css" /></head><body>test</body></html>' > www /www:/usr/share/nginx/html:ro -p 5000:80 -d nginx 2) browse through Burp to the created webpage (http java.runtime.name OpenJDK Runtime Environment java.runtime.version 21.0.4+7- https://github.com/adoptium/adoptium-support/issues java.vendor.version Temurin-21.0.4+7

Last updated: Sep 05, 2024 10:24AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

vulnerable yes or no

POST /dz588q90/xhr/api/v2/collector/beacon HTTP/1.1 Host: www.---------.com Origin: http://example.com : */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1410 Origin: https://www.--------.com Connection: close Referer: https://www.realself.com

Last updated: Jul 05, 2021 10:20AM UTC | 0 Agent replies | 0 Community replies | How do I?

Lab 1 Directory traversal(File path traversal, simple case)

3 directory or 4 directory under root directory eg image(218.png) can we present in directory /var/www /image/218.png or /var/www/image/abc/218.png, How we get to know this for applying Directory traversal

Last updated: May 06, 2022 09:39AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: HTTP request smuggling, basic TE.CL vulnerability

provided is: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

0, which is the size of the next chunk in bytes): 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 08, 2022 07:47AM UTC | 6 Agent replies | 6 Community replies | How do I?

Error In php Code

is-warning>PHP Fatal error: Uncaught Exception: Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7</p> <!

is-warning>PHP Fatal error: Uncaught Exception: Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7</p> <!

Last updated: Jul 16, 2020 08:34AM UTC | 3 Agent replies | 4 Community replies | How do I?

Bug in Lab

error Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4

Last updated: May 25, 2021 01:32PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

HTTP request

POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 01, 2023 07:18AM UTC | 1 Agent replies | 0 Community replies | How do I?

interface catastrophically broken in recently updated Debian 7

BURP Version: 1.6.09 Debian version: 7.8 (Wheezy) JRE: both OpenJDK and Oracle JRE XOrg Server: both XVFB and QXL Invocation: java -jar ./burpsuite_pro_v1.6.09.jar Mode of failure: Burp Suite windows do not...

Last updated: Feb 02, 2015 08:55AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Lab: HTTP request smuggling, basic TE.CL vulnerability

Please see below: POST / HTTP/1.1 Host: <lab-ID>.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0a4200c60375b196c058f06300d100b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0a55001804a184ac82e056fd001300f2.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Aug 07, 2024 06:52AM UTC | 8 Agent replies | 13 Community replies | How do I?

Lab Not Working Properly

HTTP/1.1 Host: ac821ff91fa6a6ac80911ed1005d00ec.web-security-academy.net Content-Type: application/x-www-form-urlencoded 1.1 Host: aca71f681fe0a61c80c01e0d01930066.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: acaf1f911ef7cfe6801f0c0400ef00b5.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-ace11f511e3acff980030cc4010500fe.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: ac7a1f911ef7995e80d3ec5300020083.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-acab1f4f1e8899f38092ec9101ef005c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: acfb1ff41fc0eb70c03ba87e008c000d.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-ac6a1f321fcaeb3dc0f4a8cc013d002c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Sep 22, 2024 11:33PM UTC | 5 Agent replies | 12 Community replies | How do I?

Exploiting HTTP request smuggling to perform web cache poisoning - Not getting results.

HTTP/1.1 Host: acfb1ff41fc0eb70c03ba87e008c000d.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-ac6a1f321fcaeb3dc0f4a8cc013d002c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Oct 18, 2021 08:49AM UTC | 0 Agent replies | 1 Community replies | How do I?

Lab: Arbitrary object injection in PHP

burp request ..Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:5 Stack trace: #0 {main} thrown in /var/www/index.php on line 5

Last updated: Apr 12, 2021 09:19AM UTC | 1 Agent replies | 0 Community replies | How do I?

Missing parameter in HTTP Smuggling request lab

HTTP/1.1 Host: 0a3a008503e2d7a7c03e1b91006c0030.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0abd00da04a3b710c0c4a56b002200b3.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jun 29, 2022 02:33PM UTC | 2 Agent replies | 1 Community replies | How do I?

Lab Not Responding

HTTP/1.1 Host: ac6d1fc91e74b3a4808926fc009c005a.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 03, 2022 09:11AM UTC | 7 Agent replies | 8 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to capture other users' requests

the lab POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 19, 2021 10:55AM UTC | 1 Agent replies | 0 Community replies | How do I?

HTTP request smuggling, obfuscating the TE header

response when i sent this request POST / HTTP/1.1 Host: my lab id Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Nov 18, 2020 11:51AM UTC | 1 Agent replies | 0 Community replies | How do I?

Sort entries in the site map by domain components before hostname

com.host1.www com.host1.www1 com.net2.www even though the hostnames are actually displayed as expected

Last updated: Apr 24, 2024 08:00AM UTC | 4 Agent replies | 3 Community replies | Feature Requests

HTTP request smuggling, basic TE.CL vulnerability Lab Queries.

HTTP/1.1 Host: 0a7600cc04f7bab6802e1c2500f700ad.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Connection: keep-alive 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jun 12, 2023 12:58PM UTC | 1 Agent replies | 0 Community replies | How do I?

Exploiting HTTP request smuggling to capture other users' requests

acc91f4d1faf6485c0b70322000b009b.web-security-academy.net Cookie: session=bWpx0z3BW0qJhvBVGo9kof3BBkwpv3qU Content-Type: application/x-www-form-urlencoded Transfer-encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Length: 600 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 19, 2022 04:36PM UTC | 7 Agent replies | 8 Community replies | How do I?

Different URLs in Target: Request, Raw and Site map URL

Here is what is shown in the Site map window right above (list of all URLs): https://www. id=WEB87431-20150616190 HTTP/1.1 Same with: https://www._something_ com/ - GET - /bp_chart.php?

Last updated: Jun 19, 2015 08:08AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Burp Proxy Conection Issue with Black Berry 7 Devices

Hi; We are using burp Pro Version of 1.6.27. In the Security Assesment we are not able to connect with BB7 Device like the Burp Proxy is not connected the BB7 device and it not intercepting. We are using BB7-9320...

Last updated: Oct 09, 2015 01:09PM UTC | 1 Agent replies | 0 Community replies | How do I?

Unable to intercept SSL traffic for Android 7 & above

The version of android we are using are 7, 8, 9.

Last updated: Mar 05, 2019 10:59AM UTC | 1 Agent replies | 0 Community replies | How do I?

invisible proxy

Technical_notes/Add_a_second_IP_address_to_an_existing_network_adapter_on_Windows and "Linux":https://www

Last updated: Jun 05, 2019 04:40PM UTC | 3 Agent replies | 2 Community replies | How do I?

LAB: Exploiting HTTP request smuggling to perform web cache poisoning

I'll past the request: POST / HTTP/1.1 Host: victimhost Content-Type: application/x-www-form-urlencoded postId=1 HTTP/1.1 Host: exploitserver Content-Type: application/x-www-form-urlencoded Content-Length

Last updated: Dec 23, 2021 12:43AM UTC | 4 Agent replies | 5 Community replies | How do I?

Lab Issues: Exploiting HTTP request smuggling to deliver reflected XSS

Exploit: ``` POST / HTTP/1.1 Host: my-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded postId=5 HTTP/1.1 User-Agent: a"/><script>alert(1)</script> Content-Type: application/x-www-form-urlencoded

Last updated: Jan 27, 2022 12:17PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

HTTP smuggling

vulnerabilities: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Mar 03, 2022 04:04PM UTC | 2 Agent replies | 2 Community replies | How do I?

Academy Leaning Material minor mistake on "Finding HTTP request smuggling vulnerabilities" page.

reads as below: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Oct 08, 2021 12:52AM UTC | 0 Agent replies | 0 Community replies | Bug Reports

Problem with "Lab: HTTP request smuggling, basic CL.TE vulnerability"

Target' details on the top right. 6.Right click on the request and select 'Smuggle attack (CL.TE)'. 7. By changing the 'prefix' variable in step 7, you can solve all the labs and virtually every real-world oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded

Last updated: Aug 20, 2021 12:00PM UTC | 2 Agent replies | 2 Community replies | Burp Extensions

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

HTTP/1.1 Host: aca11fb21f25e1e3803a19b400f90012.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 60 POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded POST /admin HTTP/1.1 -> 20 characters + 2 ending \r\n (22 characters) Content-Type: application/x-www-form-urlencoded

Content-length: 4 Transfer-Encoding: chunked 5f POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Aug 17, 2022 02:49PM UTC | 2 Agent replies | 4 Community replies | Burp Extensions

Lab - Modifying serialized objects login fuction not working properly?

PHP Warning: require_once(User.php): failed to open stream: No such file or directory in /var/www :/usr/share/php') in /var/www/index.php on line 1 And I am unable to log in, therefore no request https://0ad70019033a57a1c05c334c004d0082.web-security-academy.net/login Content-Type: application/x-www-form-urlencoded is-warning>PHP Warning: require_once(User.php): failed to open stream: No such file or directory in /var/www :/usr/share/php&apos;) in /var/www/index.php on line 1</p> </div> </section

Last updated: Oct 24, 2022 03:46PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

use burp suite

https://www.?elp.com

Last updated: Sep 21, 2017 09:39PM UTC | 0 Agent replies | 0 Community replies | How do I?

Burp scanner ignores scan configuration exclusion lists

/my_profile;jsessionid=560423289919l0e2g6f88f71qjg4xp1z2uwc408389.5604232899 HTTP/1.1 Host: www..... Connection: close Content-Length: 3002 X-Single-Page-Navigation: true Origin: https://www.....

Last updated: Apr 08, 2020 12:24PM UTC | 3 Agent replies | 2 Community replies | Bug Reports

An incorrect example in the "Exploiting HTTP request smuggling" section on the Web Security Academy.

Transfer-Encoding: chunked 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded supposed to be: 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Jul 21, 2023 07:21AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Broken chunked-encoding

like Gecko) Chrome/88.0.4324.150 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded keep-alive 96 GET /404 HTTP/1.1 X: x=1&q=smugging&x= Host: example.com Content-Type: application/x-www-form-urlencoded

Last updated: Apr 22, 2021 09:58AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Solution not functional: "Lab: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses"

HTTP/1.1 Host: 0a4c00f10450f67f802cd1480095009f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Sep 17, 2024 11:20AM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Lab: HTTP request smuggling, basic TE.CL vulnerability

document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0

postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0

Last updated: Sep 26, 2024 05:26PM UTC | 2 Agent replies | 1 Community replies | How do I?

Intercept SSL traffic for Android Nougat 7 and above version.

file in application folder and recomiple every time while doing security testing in Android Nougat 7

Last updated: Aug 21, 2019 03:13PM UTC | 2 Agent replies | 1 Community replies | How do I?

Burp Suite v2023.9.1 + rooted android 7 and 8 certificate unknown

Testes as well with a Android 7 Hafury Mix with user certificate installed the old way.

Last updated: Aug 15, 2023 10:36AM UTC | 1 Agent replies | 0 Community replies | How do I?

Exploiting PHP deserialization with a pre-built gadget chain payload

is-warning>PHP Fatal error: Uncaught Exception: Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7</p> <!

Last updated: Jul 16, 2020 07:54AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to capture other users' requests

HTTP/1.1 Host: ac4f1f861e1580afc0ad62b3000a0048.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Content-Length: 251 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 26, 2022 12:16PM UTC | 1 Agent replies | 0 Community replies | How do I?

Incorrect Issue Type/Advisory Finding & Remediation

As such, it is recommended to set the header as X-XSS-Protection: 0" Reference https://owasp.org/www-project-secure-headers

Last updated: Jul 28, 2021 08:43AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Modifying serialized objects

this - Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4.

Last updated: Apr 06, 2021 03:26PM UTC | 2 Agent replies | 0 Community replies | How do I?

Proxy connection closed

7f2f9e055a74df967116223c431c9ffc=qub7j1cc8bi084gvtd3p2b1q84 Connection: close Content-Type: application/x-www-form-urlencoded

Last updated: Feb 17, 2018 08:26AM UTC | 3 Agent replies | 5 Community replies | Bug Reports

BCheck SQLi bypass autentication

: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded

: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded : 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded

Last updated: Feb 29, 2024 01:50PM UTC | 2 Agent replies | 7 Community replies | Burp Extensions

why there is an empty line after Content-Length header in http smuggle attacks?

for example : POST /search HTTP/1.1 Host: normal-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Mar 21, 2022 06:13PM UTC | 0 Agent replies | 1 Community replies | How do I?

HTTP request Smuggling CL.TE LAB

HTTP/1.1 Host: 0a120052048d10f0c0b07c7700c300bb.web-security-academy.net Content-Type: application/x-www-form-urlencoded

solution : POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Jan 18, 2023 10:45AM UTC | 2 Agent replies | 3 Community replies | How do I?

Lab: HTTP request smuggling, basic CL.TE vulnerability

HTTP/1.1 Host: 0a90006303d9bbc387c5700800820036.web-security-academy.net Content-Type: application/x-www-form-urlencoded

0a3500f90359495b811ec02e002700bc.web-security-academy.net\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded

Last updated: May 31, 2023 06:53AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

Advanced Target Scope - Load File

.*\.example\.com\/* test\.net\/path\/here\/* www\.test\.net\/* -----------

Last updated: Mar 30, 2022 09:52AM UTC | 6 Agent replies | 7 Community replies | How do I?

Burp Scaner with form credentials

The Content-Type is: application/x-www-form-urlencoded

Last updated: Feb 25, 2020 02:53PM UTC | 4 Agent replies | 6 Community replies | How do I?

Lab: CSRF where token is not tied to user session

https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded

Last updated: Jun 08, 2020 09:04AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

how do we calculate value for tranfer encoding??

username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length

username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length

Last updated: Feb 02, 2022 11:53AM UTC | 2 Agent replies | 2 Community replies | How do I?

Upload File to Burp Collaborator

Hi, It looks like you are trying to achieve what is described in the articles below: - https://www

Last updated: May 14, 2020 12:27PM UTC | 1 Agent replies | 0 Community replies | How do I?

multiple request headers in burpsuite community edition v2023.7.2

Cookie: session=8aVCM2qExzt0Y2t1AJ4WhRIKozqAYedJ Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: May 25, 2024 06:30AM UTC | 4 Agent replies | 5 Community replies | How do I?

Username enumeration via response timing

0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded 0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded

Last updated: Aug 15, 2024 07:15AM UTC | 6 Agent replies | 5 Community replies | How do I?

unable to intercept traffic on android 7+ if using browser or webview apps

configuring-burp-suite-with-android-nougat/ and now i'am able to intercept the request using burp on android 7+

Last updated: Feb 13, 2020 08:22AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: HTTP request smuggling, basic CL.TE vulnerability

Connection: keep-alive Content-Length: 10 Transer-Encoding: chunked Content-Type: application/x-www-form-urlencoded

Last updated: Jan 12, 2021 08:22AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: CL-TE request smuggling lab is not working with the official solution.

0ac000af04eed935c3233d650017001f.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Mar 15, 2023 05:08AM UTC | 2 Agent replies | 3 Community replies | Bug Reports

Lab: CL-TE request smuggling lab is not working with the official solution

HTTP/2 Host: 0a6f004904bb0b7282f5067100c70057.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Apr 13, 2023 06:37AM UTC | 1 Agent replies | 0 Community replies | How do I?

DOM-based open redirection

burp-suite-explain-dom-based-open-redirection - https://portswigger.net/support/using-burp-to-test-for-open-redirections - https://owasp.org/www-pdf-archive

Last updated: Sep 10, 2021 09:12AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Remove Java JRE 1.9.0_4 on Burp Suite Enterprise Edition v2021.11

We re-installed Burp Suite enterprise version 2021-11 on RHEL 7.

Last updated: Dec 15, 2021 04:01PM UTC | 2 Agent replies | 1 Community replies | How do I?

Unable to solve: Lab: Exploiting HTTP request smuggling to perform web cache poisoning

/1.1 Host: abcdabcdabcdabcdabcdabcdabcdabcde.web-security-academy.net Content-Type: application/x-www-form-urlencoded 1.1 Host: exploit-exploitexploitexploitexploitexpl.exploit-server.net Content-Type: application/x-www-form-urlencoded

Last updated: Jul 31, 2024 12:15PM UTC | 1 Agent replies | 0 Community replies | How do I?

Scanner "X-Forwarded-For dependent response" check alters Content-Type?

Accept-Encoding: gzip, deflate X-CSRFToken: I7qjj8Iz3XwEEwu2gL4ZcePHMdNjOUD6 Content-Type: application/x-www-form-urlencoded Connection: close X-Forwarded-For: 127.0.0.1 Notice the change to "Content-Type: application/x-www-form-urlencoded

Last updated: Jun 01, 2016 08:25AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

HTTP1.1 replaced by HTTP/2 in response header?

Every time I send POST / HTTP/1.1 Host: ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Mar 27, 2023 07:35AM UTC | 6 Agent replies | 6 Community replies | Bug Reports

"Lab: HTTP request smuggling, basic TE.CL vulnerability" need help in understanding

HTTP/1.1 Host: ac2f1f0e1ea3d02180733e8600de008b.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 17, 2020 04:33PM UTC | 2 Agent replies | 1 Community replies | How do I?

Server-side pause-based request smuggling ISSUE

web-security-academy.net Cookie: session=mAbLimPqmVB5vNGU7notqlDu7ZCsW8O4 Content-Type: application/x-www-form-urlencoded

0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Jul 05, 2024 08:21AM UTC | 4 Agent replies | 2 Community replies | How do I?

Impossible to use burp.

We've tested this using Windows 7 Ultimate and could not replicate your issue.

Hi Liam, I'm using Windows 7. BURP is working fine. may find it useful to know the following commands to bring the UI back to the main monitor in Windows 7:

Last updated: Jun 09, 2016 08:00AM UTC | 4 Agent replies | 5 Community replies | Bug Reports

Logic error in lntruder module

KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 13, 2021 03:12PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Burp Pro Crashes Immediately Upon Start

Reloaded Win 7, still displays same behavior. Burp will not load/run on Win 7 or Win 10 on this hardware using several versions of JRE (1.6 up to latest Burp WILL run in a VM (Win 7 & 10) on this hardware. Any chance a dump file would be useful?

Last updated: Nov 18, 2021 03:01PM UTC | 6 Agent replies | 11 Community replies | Bug Reports

burp doesn't take history like this path #something.php?image=photo.jpg

Directory/path traversal vulnerabilities do not usually take this into account: - https://owasp.org/www-community

Last updated: May 25, 2020 08:07AM UTC | 1 Agent replies | 0 Community replies | How do I?

Create an SSL cert with Certbot for a private collaborator server

certbot certonly --webroot -w /var/www/bc.mydomain -d bc.mydomain I get: Invalid response from http

Last updated: Jun 07, 2021 08:45AM UTC | 1 Agent replies | 0 Community replies | How do I?

Need help with password cracking

br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Aug 24, 2016 08:37AM UTC | 1 Agent replies | 0 Community replies | How do I?

Design new extension - Problem with buildRequest and URL Encode

script>alert(1)</script> Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded http://127.0.0.1/a.php Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 05, 2018 02:11PM UTC | 6 Agent replies | 6 Community replies | Burp Extensions

Lab : Modifying serialized data types. Bug Decoder?

of the video I get this error : PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 I understand that

Last updated: Mar 15, 2021 01:48PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

can't solve lab 'Exploiting time-sensitive vulnerabilities' - invalid token

0af100d8041a969e80e33fd60088007d.web-security-academy.net Dnt: 1 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded 0af100d8041a969e80e33fd60088007d.web-security-academy.net Dnt: 1 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Oct 02, 2024 03:55PM UTC | 1 Agent replies | 1 Community replies | How do I?

Exploiting HTTP request smuggling to perform web cache deception NOT WORKING

HTTP/1.1 Host: ac921f9e1e43510980d00f8c0079000b.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Sep 13, 2021 08:11AM UTC | 2 Agent replies | 2 Community replies | How do I?

Burpsuite 2.0.0.5 Beta - SocketException on crawls and audits

redirected to the secure version so that's not exactly helpful), and oftentimes, subdomains other than www

Last updated: Sep 17, 2018 11:13AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Extension load error code

os win 7 java 8 update 231 java se development 13 jython 2.7.1

Last updated: Nov 27, 2019 12:06PM UTC | 2 Agent replies | 2 Community replies | Burp Extensions

Burp Does Not Redirect

<FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="https://...

Last updated: Jan 31, 2023 12:06PM UTC | 10 Agent replies | 5 Community replies | Bug Reports

TE.CL smuggling labs - official solutions do not work

Connection: keep-alive Transfer-Encoding: chunked 5b GLOOL / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 19, 2023 07:30AM UTC | 1 Agent replies | 3 Community replies | Bug Reports

'Drop all out-of-scope requests' not behaving as expected

Add an entry, protocol 'Any', Host or IP range '^www\.google\.com$', leave the rest blank 3.

Last updated: Feb 20, 2019 01:56PM UTC | 1 Agent replies | 1 Community replies | How do I?

Missing PHP Code Injection Detection

module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie

module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie

Last updated: Jun 24, 2020 01:30PM UTC | 1 Agent replies | 2 Community replies | Bug Reports

project file stops populating proxy history

My environment: Windows 7 guest in VirtualBox, the host is a debian.

Last updated: Mar 03, 2020 11:55AM UTC | 3 Agent replies | 3 Community replies | Bug Reports

2FA bypass using a brute-force attack

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2021 08:49PM UTC | 3 Agent replies | 3 Community replies | How do I?

Send request in the same connection turbo intruder

req POST / HTTP/1.1 Host: example.com Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Sep 28, 2022 02:16PM UTC | 1 Agent replies | 0 Community replies | Burp Extensions

Lab: HTTP request smuggling, basic CL.TE vulnerability (Help for a noob)

1.1 Host: yourclientid.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Aug 20, 2019 09:50PM UTC | 0 Agent replies | 1 Community replies | How do I?

Burp does not set SNI on the outgoing connection to an SSL enabled web server

Tested Version: 1.7.23 Free Tested Platform: Windows 7 SP1 What is holding up this fix??? While it is true that Java 7+ will automatically add SNI hostnames to the handshake, there are situations that the browser can correctly access a SNI-enabled site through the LittleProxy upstream proxy. 7.

Last updated: Mar 06, 2019 08:41AM UTC | 14 Agent replies | 16 Community replies | Bug Reports

Bug in Site map tab while showing only items in scope.

browse to the URL www.sapo.pt In the scope I have reg exp with: Protocol: HTTP Host or IP: ^www

Last updated: Mar 25, 2015 08:24AM UTC | 4 Agent replies | 5 Community replies | Bug Reports

Disable content type changes

further investigation it appears to be a result of Burp rewriting the content type from 'application/x-www-form-urlencoded

Last updated: Nov 23, 2018 08:42AM UTC | 2 Agent replies | 1 Community replies | How do I?

lab question

<form id="my_form" action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded">

Last updated: Nov 12, 2019 01:05PM UTC | 5 Agent replies | 5 Community replies | How do I?

HTTPRQ Lab - Exploiting HTTP request smuggling to deliver reflected XSS

HTTP/1.1 Host: ac231f491feb99a4807c00a50038000f.web-security-academy.net Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: ac231f491feb99a4807c00a50038000f.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Sep 05, 2021 01:14AM UTC | 1 Agent replies | 3 Community replies | Bug Reports

Burpsuite error or using incorrectily

0 Upgrade-Insecure-Requests: 1 Origin: https://www.kkkkkkkk.com Content-Type: application/x-www-form-urlencoded

Last updated: Jun 17, 2021 03:42PM UTC | 3 Agent replies | 3 Community replies | How do I?

Username enumeration via response timing problems with X-Forwarded-For header

Upgrade-Insecure-Requests: 1 Origin: https://asdsdasdasd.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Nov 09, 2023 12:57PM UTC | 1 Agent replies | 1 Community replies | How do I?

Excel Macro & Burp

compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded

Last updated: May 29, 2024 07:39AM UTC | 1 Agent replies | 0 Community replies | How do I?

websockets 'Send to' repeater & intruder

Yikes, 7 years and this feature is still not possible to send WS messages to intruder :(

Last updated: Aug 21, 2023 01:57PM UTC | 14 Agent replies | 20 Community replies | Feature Requests

Cert expiration time

This happens on apps using Chrome as a web-frame on Android 7.

Last updated: Nov 20, 2017 10:37PM UTC | 3 Agent replies | 2 Community replies | Feature Requests

Valid XSS not reporting in issues ? Is it me?

max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://testphp.vulnweb.com Content-Type: application/x-www-form-urlencoded

Last updated: Aug 23, 2021 02:25PM UTC | 2 Agent replies | 3 Community replies | Bug Reports

SSL SNI not used with upstream proxy

Tested Version: 1.7.23 Free Tested Platform: Windows 7 SP1 The issue of Burp not sending SNI in SSL While it is true that Java 7+ will automatically add SNI hostnames to the handshake, there are situations that the browser can correctly access a SNI-enabled site through the LittleProxy upstream proxy. 7.

Last updated: May 26, 2017 12:53PM UTC | 2 Agent replies | 3 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)

POST / HTTP/1.1 Host: xxx-your-lab-id-xxx.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Jun 25, 2021 07:17AM UTC | 4 Agent replies | 7 Community replies | How do I?

Dragger not showing after 200 requests

Just wanted to report also having this issue on the Numbus look/feel with the Windows 7 system, changing

Last updated: Oct 14, 2015 07:47AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Temporary file disk usage and dedicated temp file drives

Thank you very much for responding about this. 1) 32-bit Windows 7, Java 1.6, Burp Suite Free Edition

Last updated: Aug 03, 2017 03:31AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

Genymotion android emulator TLS error

Hi, What version of Android are you running and, if the version is 7 or above, have you installed the

Last updated: Aug 01, 2022 09:27AM UTC | 4 Agent replies | 5 Community replies | How do I?

Allowing the symbol "&" to be part of a string, instead of being something else

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 08, 2021 06:26PM UTC | 2 Agent replies | 9 Community replies | How do I?

SSO with microsoftonline.com

sXXX0T-HXXXxb-FXXXH_cfXXX6-KHXXXX81&cbcxt=&username=USER%40ENTERPRISE_OFFICE_DOMAIN.com&mkt=&lc= with a www-form-urlencoded ENTERPRISE_OFFICE_DOMAIN.com mkt lc This is followed by a POST to ttps://login.microsoftonline.com/login.srf with www-form-urlencoded

Last updated: Jun 11, 2019 02:26PM UTC | 1 Agent replies | 1 Community replies | How do I?

HTTP Request Smuggling POST Request with Body

a GET request: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: May 29, 2020 08:12AM UTC | 1 Agent replies | 0 Community replies | How do I?

XSS False positive

fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded

Last updated: Nov 09, 2016 09:32AM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Unable to build http request with header

103.0.5060.134 Safari/537.36, Connection: close, Cache-Control: max-age=0, Content-Type: application/x-www-form-urlencoded

Last updated: May 09, 2023 10:43AM UTC | 1 Agent replies | 0 Community replies | Burp Extensions

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

u=1 te: trailers content-type: application/x-www-form-urlencoded

Last updated: Jul 08, 2024 02:17PM UTC | 3 Agent replies | 3 Community replies | Bug Reports

Missed SQL Injection

=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Nov 23, 2021 08:40AM UTC | 2 Agent replies | 2 Community replies | Bug Reports

trouble installing

Linux kali 4.19.118-Re4son-v81+ #1 SMP PREEMPT Thu May 7 02:54:03 UT 2020 aarch64 GNU/Linux The jar

Last updated: May 06, 2022 06:55AM UTC | 4 Agent replies | 3 Community replies | How do I?

Lab: 2FA bypass using a brute-force attack doesn't get me a 302

Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jul 05, 2022 07:53AM UTC | 1 Agent replies | 0 Community replies | How do I?

Adding X-Forwarded-For to bypass IP based brute force protection

https://acaf1f021f283a268092b4c2004c008d.web-security-academy.net/login Content-Type: application/x-www-form-urlencoded

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Mar 15, 2024 07:50AM UTC | 7 Agent replies | 7 Community replies | How do I?

Hey, I'm having an error when launching payload

id=wiener Content-Type: application/x-www-form-urlencoded Content-Length: 117 Connection: close Cookie

Last updated: Apr 23, 2020 02:12AM UTC | 1 Agent replies | 6 Community replies | How do I?

can load HTTPS. but not intercept ?

With Java 8 and Java 7 it doesn't work, With java 6 works. How can it work with java 8?

Last updated: Mar 25, 2019 06:56AM UTC | 6 Agent replies | 10 Community replies | How do I?

Authentication Multi factor lab - 2FA Broken Login

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jul 19, 2022 05:32PM UTC | 1 Agent replies | 0 Community replies | Feature Requests

Burp Extension CSRF Token

cookie values are set here Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 13, 2017 08:47PM UTC | 0 Agent replies | 2 Community replies | How do I?

Audit Item Status shows " Error Request time out and Unknown Errors "

like Gecko) Chrome/84.0.4147.125 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded

Last updated: Sep 02, 2020 12:29PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

BurpSuite Proxy Listener, Mac OS and Chrome not playing nice together

BurpSuite by attacking a local instance of WebGoat (intentionally-vulnerable web app at https://owasp.org/www-project-webgoat

Last updated: Sep 05, 2023 09:14AM UTC | 2 Agent replies | 1 Community replies | How do I?

Same site, two different authentication methods (Basic first, then NTLM)

connect to the site, you're redirected to the BIG-IP's proxied.site.com/my.policy page, which wants Basic WWW

Last updated: May 09, 2016 07:43AM UTC | 1 Agent replies | 0 Community replies | How do I?

Copy/Paste/Cut shortcuts (CTRL+C/V/X) are not working on Windows 10

We upgraded a base Windows 7 install to Windows 10, and then installed the latest Oracle JRE 8, and Burp

Last updated: Aug 10, 2021 09:14AM UTC | 6 Agent replies | 4 Community replies | Bug Reports

Username enumeration via response timing: not getting response using repeater with X-Forwarded-For

Origin: https://ace11f691fef2ad580c703dd004a00c5.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Aug 09, 2021 10:41AM UTC | 1 Agent replies | 0 Community replies | How do I?

Disable autocomplete inside Burp

I'm using the latest pro version and I see it across systems including Windows 7/10, Ubuntu 16.04, and

Last updated: Jun 20, 2018 03:33PM UTC | 3 Agent replies | 3 Community replies | How do I?

Crawl & audit very slow, never finishes (Burp pro 2020.9)

We are running into very similar issue in some of our environments (Windows 7 and Windows 10) where Burp

Last updated: Jun 13, 2022 12:46PM UTC | 4 Agent replies | 4 Community replies | Bug Reports

Intruder only works after repeater...sort of

Upgrade-Insecure-Requests: 1 Origin: https://um-auth-qa.auth.eu-west-1.amazoncognito.com Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2020 09:28AM UTC | 1 Agent replies | 2 Community replies | How do I?

burp is running with a black display

Hi Liam, I'm using Windows 7. BURP is working fine. may find it useful to know the following commands to bring the UI back to the main monitor in Windows 7:

Last updated: Jan 16, 2020 10:10AM UTC | 5 Agent replies | 4 Community replies | How do I?

Bundled JRE can generate DH pairs larger than 2048 bits

I am using the platform installer on Windows 7. Now at version 2.0.12.

Last updated: Nov 20, 2018 04:35PM UTC | 5 Agent replies | 5 Community replies | Bug Reports

Handling multipart requests with Montoya API

request that looks like this: POST /something HTTP/1.1 Host: whatever Content-type: application/x-www-form-urlencoded

Last updated: Sep 08, 2023 04:08PM UTC | 2 Agent replies | 1 Community replies | Burp Extensions

Password Reset Poisoning via Dangling Markeup

Origin: https://0a3100a703b733a780cdd52400fa00cc.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Aug 28, 2023 10:56AM UTC | 7 Agent replies | 7 Community replies | Bug Reports

Mystery lab challenges that require to submit solution seem to be broken

HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Content-Length: 39 Content-Type: application/x-www-form-urlencoded

Last updated: Mar 21, 2022 01:46PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Different results Automated Scan vs Manual Active Scan

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jun 13, 2022 09:26AM UTC | 1 Agent replies | 0 Community replies | How do I?

Combine Web Cache Poisoning Vulnerabilities Lab Issue

I've followed the steps but at the 7:54 minute mark, I went to try to check if the response site would

Last updated: Aug 27, 2021 03:46PM UTC | 2 Agent replies | 2 Community replies | How do I?

Auditing not calling doActiveScan(...) method via Extensibility API

q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8000/ Content-Type: application/x-www-form-urlencoded

Last updated: Mar 15, 2019 03:28PM UTC | 4 Agent replies | 4 Community replies | Burp Extensions

Freezes in scanner

The above is what is happening when running on Windows 7 and Windows 8.1.

Last updated: Oct 08, 2019 05:41PM UTC | 4 Agent replies | 7 Community replies | Bug Reports

BurpSuite Error: failed to negotiate an SSL connection

For Android 7+ devices I found this link about the security feature that does not allow apps to trust