Search Forum – PortSwigger

Lab : Modifying serialized data types. Bug Decoder?

of the video I get this error : PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 I understand that … encoded url = %65%33%4d%36%4f%44%6f%69%64%58%4e%6c%63%6d%35%68%62%57%55%69%4f%33%4d%36%4d%54%4d%36%49%6d%46% … 6b%62%57%6c%75%61%58%4e%30%63%6d%46%30%62%33%49%69%4f%33%4d%36%4d%54%49%36%49%6d%46%6a%59%32%56%7a%63%

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

cookie: session=uh7z8Bd1CaBOY98M1UQs5vtO2syzKWRL cookie: _lab=46% … u=1 te: trailers content-type: application/x-www-form-urlencoded … Thanks for the reply and sorry for bothering.

Missed SQL Injection

identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 … =0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … JSESSIONID=29DB5859; username=username; password=password payeeId=abc The website is created for … testing web scanner applications, please feel free to use it for that purpose.

Lab: Modifying serialized data types - Debug dumps tokens

y6woegwraq17bq0drumffn0nfujbitmw, p9a5ei0x99qi74vejsq36czp0tn1z3d6, xlbjcoe8ecul6sfmtdrt5cm8qqr6o7hx]) Invalid access token for … user carlos in /var/www/index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Lab doesn't seem to be working for me, even when I follow the solution. Getting timeout errors. … HTTP/1.1 Host: ac451f7f1e1dd31780a427f50095008e.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded

HTTP Request Smuggling

Located at https://portswigger.net/web-security/request-smuggling/finding uri The request for "Confirming … responses" is given as "POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … server was given as "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … should be like this: "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

HTTP Request Smuggling

(It accepts limits between 10-15, I get an invalid request error for values less than 9 and 9.).The … portwigger: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab 1 Directory traversal(File path traversal, simple case)

3 directory or 4 directory under root directory eg image(218.png) can we present in directory /var/www … /image/218.png or /var/www/image/abc/218.png, How we get to know this for applying Directory traversal

Lab: HTTP request smuggling, basic TE.CL vulnerability

The solution for the challenge provided is: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net … Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c … GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=1 0

0, which is the size of the next chunk in bytes): 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

invisible proxy

Here are instruction for "Windows":https://help.oclc.org/Library_Management/EZproxy/Technical_notes/Add_a_second_IP_address_to_an_existing_network_adapter_on_Windows … and "Linux":https://www.2daygeek.com/how-to-add-additional-ip-secondary-ip-in-ubuntu-debian-system/

Solution not functional: "Lab: HTTP request smuggling, confirming a TE.CL vulnerability via differential responses"

Hi Ben, Thank you so much for checking. … I tried the same solution with a colleague and it worked for him as well so it must be something unique … This lead me to reset my Burp user settings and that solved the issue for me. … HTTP/1.1 Host: 0a4c00f10450f67f802cd1480095009f.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab: HTTP request smuggling, basic TE.CL vulnerability

Please see below: POST / HTTP/1.1 Host: <lab-ID>.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded … Content-Length: 15 x=1 0 For the host, try leaving out https://.

HTTP/1.1 Host: 0a4200c60375b196c058f06300d100b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0a55001804a184ac82e056fd001300f2.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab Issues: Exploiting HTTP request smuggling to deliver reflected XSS

So the exact same thing should work for the virtual victim, but this is not the case. … Exploit: ``` POST / HTTP/1.1 Host: my-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded … postId=5 HTTP/1.1 User-Agent: a"/><script>alert(1)</script> Content-Type: application/x-www-form-urlencoded

HTTP smuggling

For example i want to send this request to Confirming TE.CL vulnerabilities: POST /search HTTP/1.1 … Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding … : chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Request Smuggling - Lab does not work

0a5900b7040dfb4fc1db8f1c005d0093.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded … HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded

For instance, in the lab "https://portswigger.net/web-security/request-smuggling/lab-obfuscating-te-header … HTTP/1.1 Host: 0ac800a704bbd7328148caab006b0005.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab: Modifying serialized data types

end up with a "Internal Server Error PHP Fatal error: Uncaught Exception: Invalid access token for … user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line

Setting the right cookie gives the error "PHP Fatal error: Uncaught Exception: Invalid access token for … user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on … username=carlos trick dosen't work for me. Still getting the same error.

answer guide) Internal Server Error PHP Fatal error: Uncaught Exception: Invalid access token for … user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www/index.php on line

74%39 Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 ??

this error: Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 Then, what I did is:

Modifying serialized objects" PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 echo "O:4:"User":2

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

Good morning, The following request in the provided solution did work for me but I don't understand … HTTP/1.1 Host: aca11fb21f25e1e3803a19b400f90012.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 60 POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded … POST /admin HTTP/1.1 -> 20 characters + 2 ending \r\n (22 characters) Content-Type: application/x-www-form-urlencoded … Thanks in advance for your help. Regards, Luc

Content-length: 4 Transfer-Encoding: chunked 5f POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Academy Leaning Material minor mistake on "Finding HTTP request smuggling vulnerabilities" page.

reads as below: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … Content-Length: 144 x= 0 I believe '7c' is a mistake for the chunk size as it should actually

Lab: HTTP request smuggling, basic TE.CL vulnerability

document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded … postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 … It is necessary for HTTP1.1.

This part of request is waiting for a second request on backend GET /post? … postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 … postId=9 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 15 x=11 0 … We have response for this request GET /post?postId=9 HTTP/1.1 .... BUT!

Exploiting PHP deserialization with a pre-built gadget chain - getting error

Symfony Version: 4.3.6 PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www … /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Thanks

Lab Login Not Working

HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded … HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP request smuggling, obfuscating the TE header

POST / HTTP/1.1 Host: my host.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP request smuggling, basic TE.CL vulnerability

i sent: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Not possible to disable "Update Content-Length"

HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded … HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 105 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Proxy connection closed

when the intercept on it loading for long time and no result POST /index.php/login? … 7f2f9e055a74df967116223c431c9ffc=qub7j1cc8bi084gvtd3p2b1q84 Connection: close Content-Type: application/x-www-form-urlencoded

why there is an empty line after Content-Length header in http smuggle attacks?

for example : POST /search HTTP/1.1 Host: normal-website.com Content-Type: application/x-www-form-urlencoded

Advanced Target Scope - Load File

example.com/* test.net/path/here/* www.test.net/* ----------- Would make the following scopes for … both http and https: ----------- example\.com .*\.example\.com\/* test\.net\/path\/here\/* www\

Scanner "X-Forwarded-For dependent response" check alters Content-Type?

I'm seeing behavior from the active scan check for "X-Forwarded-For dependent response" that changes … When the scanner sends the request with the added X-Forwarded-For header, it changes the content type … Accept-Encoding: gzip, deflate X-CSRFToken: I7qjj8Iz3XwEEwu2gL4ZcePHMdNjOUD6 Content-Type: application/x-www-form-urlencoded … Cookie: sessionid=<redacted>; csrftoken=I7qjj8Iz3XwEEwu2gL4ZcePHMdNjOUD6 Connection: close X-Forwarded-For … : 127.0.0.1 Notice the change to "Content-Type: application/x-www-form-urlencoded" As this app

Issues with Burp Suite Enterprise Edition deployed on GKE

Installation: /usr/local/burpsuite_enterprise Logs: /home/burpsuite/logs Log disk space: 46

C) Since log disk space has been 46 GB I need to delete that. How I can do that ? … E) Can you please let me know the below debug settings and how to use that for debugging ? … settings From time to time, the PortSwigger support team may ask you to enable detailed debugging for

Lab - Modifying serialized objects login fuction not working properly?

PHP Warning: require_once(User.php): failed to open stream: No such file or directory in /var/www … :/usr/share/php') in /var/www/index.php on line 1 And I am unable to log in, therefore no request … For more details, i pasted the request and response below: REQUEST POST /login HTTP/1.1 … is-warning>PHP Warning: require_once(User.php): failed to open stream: No such file or directory in /var/www … :/usr/share/php') in /var/www/index.php on line 1</p> </div> </section

PHP deserialization: Signature does not match

receiving this error: PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www … /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 My secret key: f99oqo0667s8noe1clqktoa99mnzvuq2

ca certificate

The URL is http://burp/ - there's no www.

Design new extension - Problem with buildRequest and URL Encode

for(String payload: payloads){ IHttpRequestResponse response = this.callbacks.makeHttpRequest … example to look for XSS, is that if you encode the payload in url encode, you can not try to skip filters … should submit raw non-encoded payloads to insertion points, and the insertion point has responsibility for … script>alert(1)</script> Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded … http://127.0.0.1/a.php Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

HTTP request Smuggling CL.TE LAB

HTTP/1.1 Host: 0a120052048d10f0c0b07c7700c300bb.web-security-academy.net Content-Type: application/x-www-form-urlencoded … It is not present the chunk length of the second chunk (smuggled one) Thanks in advance for the support

solution : POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded

LAB: Exploiting HTTP request smuggling to reveal front-end request rewriting

HTTP/1.1 Host: ac201fbc1fd627ddc0effe2300f200de.web-security-academy.net Content-Type: application/x-www-form-urlencoded … username=carlos HTTP/1.1 X-ayZFvQ-Ip: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length

multiple request headers in burpsuite community edition v2023.7.2

Hi i am facing an error saying duplicate headers in request using turbo intruder for this lab. … Cookie: session=8aVCM2qExzt0Y2t1AJ4WhRIKozqAYedJ Connection: keep-alive Content-Type: application/x-www-form-urlencoded

vulnerable yes or no

POST /dz588q90/xhr/api/v2/collector/beacon HTTP/1.1 Host: www.---------.com Origin: http://example.com … : */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … Content-Length: 1410 Origin: https://www.--------.com Connection: close Referer: https://www.realself.com

project file not saved

The timestamp on the main project file is 11:34 The timestamp of the most recent *backup* is 11:46 … There are only four backup files 09:36 10:07 10:46 11:46 I'm running Burp on a Windows 10 VM … I mention this in case it's relevant, but this is how I've used Burp 1.x for years, successfully.

DOM-based open redirection

/burp-suite-explain-dom-based-open-redirection - https://portswigger.net/support/using-burp-to-test-for-open-redirections … - https://owasp.org/www-pdf-archive/OWASP_Appsec_Research_2010_Redirects_XSLJ_by_Sirdarckcat_and_Thornmaker.pdf

Need help with password cracking

br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded … set it up to do a sniper attack then I load rockyou.txt as a payload then i start it and i get this for … br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded … sorry for long post but i have been trying for days to fix this myself and havent got a clue what else

Lab: CSRF where token is not tied to user session

Then by intercepting the POST request for change email 3 times, I found that every time new CSRF token … https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded … https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded … https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded … noiA2Y1vmFgJq4K7HZTTbGP9U8hi04Aq --------------------------------------------------- I don't know if it's just for

Bug in Lab

error Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4

Lab Not Working Properly

HTTP/1.1 Host: ac821ff91fa6a6ac80911ed1005d00ec.web-security-academy.net Content-Type: application/x-www-form-urlencoded … 1.1 Host: aca71f681fe0a61c80c01e0d01930066.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Hannah, for my sanity, is this lab still working as expected? … HTTP/1.1 Host: acaf1f911ef7cfe6801f0c0400ef00b5.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Host: exploit-ace11f511e3acff980030cc4010500fe.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: ac7a1f911ef7995e80d3ec5300020083.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Host: exploit-acab1f4f1e8899f38092ec9101ef005c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: acfb1ff41fc0eb70c03ba87e008c000d.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Host: exploit-ac6a1f321fcaeb3dc0f4a8cc013d002c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP request

POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

burp doesn't take history like this path #something.php?image=photo.jpg

Directory/path traversal vulnerabilities do not usually take this into account: - https://owasp.org/www-community … /attacks/Path_Traversal - https://portswigger.net/support/using-burp-to-test-for-path-traversal-vulnerabilities

Create an SSL cert with Certbot for a private collaborator server

I'd like to use Certbot to create a SSL cert for a private collaborator server on my domain. … certbot certonly --webroot -w /var/www/bc.mydomain -d bc.mydomain I get: Invalid response from http

Username enumeration via response timing

Here is my request I used with Burp Suite (the process worked well for the username) : POST /login … 0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded … 0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded

Exploiting HTTP request smuggling to perform web cache poisoning - Not getting results.

HTTP/1.1 Host: acfb1ff41fc0eb70c03ba87e008c000d.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Host: exploit-ac6a1f321fcaeb3dc0f4a8cc013d002c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Lab: Arbitrary object injection in PHP

burp request ..Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:5 Stack trace: #0 {main} thrown in /var/www/index.php on line 5

Missing parameter in HTTP Smuggling request lab

HTTP/1.1 Host: 0a3a008503e2d7a7c03e1b91006c0030.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0abd00da04a3b710c0c4a56b002200b3.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab Not Responding

HTTP/1.1 Host: ac6d1fc91e74b3a4808926fc009c005a.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab: Exploiting HTTP request smuggling to capture other users' requests

the lab POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Lab: Exploiting HTTP request smuggling to capture other users' requests-- not solving

HTTP/1.1 Host: ac4f1f451ed62abd80777fe600120062.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-Length: 277 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP request smuggling, obfuscating the TE header

response when i sent this request POST / HTTP/1.1 Host: my lab id Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Burpsuite 2.0.0.5 Beta - SocketException on crawls and audits

redirected to the secure version so that's not exactly helpful), and oftentimes, subdomains other than www … will work as well (for instance recently an api.example.com was successful).

No interaction from victim in Access Logs after sending request to /deliver-to-victim

my own interactions with the exploit server in the access log: ``` 192.184.176.136 2024-08-13 23:46 … AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36" 192.184.176.136 2024-08-13 23:46 … AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36" 192.184.176.136 2024-08-13 23:46 … AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36" 192.184.176.136 2024-08-13 23:46 … able to complete the exploit in the "SameSite Strict bypass via sibling domain" lab earlier today, for

Burp Does Not Redirect

The application I am testing uses SiteMinder for SSO, and this produces a redirect of the form... … <FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="https://...

Sort entries in the site map by domain components before hostname

com.host1.www com.host1.www1 com.net2.www even though the hostnames are actually displayed as expected

HTTP request smuggling, basic TE.CL vulnerability Lab Queries.

HTTP/1.1 Host: 0a7600cc04f7bab6802e1c2500f700ad.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked Connection: keep-alive 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Exploiting HTTP request smuggling to capture other users' requests

acc91f4d1faf6485c0b70322000b009b.web-security-academy.net Cookie: session=bWpx0z3BW0qJhvBVGo9kof3BBkwpv3qU Content-Type: application/x-www-form-urlencoded … Transfer-encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Length: 600 Content-Type: application/x-www-form-urlencoded

Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)

I used the following with no success for ages. … POST / HTTP/1.1 Host: xxx-your-lab-id-xxx.web-security-academy.net Content-Type: application/x-www-form-urlencoded … It was the Repeater results in the Burp Search for "POST /" that eventually returned the API Key....wierd … login page might work and return the results in the /resources/css/labs.css although that did not work for

BCheck SQLi bypass autentication

Hi Hannah, and all Can you answer something for BCheck, how can I check for vulnerabilities in the … body of the POST request for example: ``` Content-Length: 33 Sec-Ch-Ua: "Chromium";v="121", " … Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With … I know that I can use Intruder, but the question is how can I build BCheck who check exactly this for

: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded … : 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded

Different URLs in Target: Request, Raw and Site map URL

Here is what is shown in the Site map window right above (list of all URLs): https://www. … id=WEB87431-20150616190 HTTP/1.1 Same with: https://www._something_ com/ - GET - /bp_chart.php?

Username enumeration via response timing problems with X-Forwarded-For header

Hello I am know how to solve the lab but most of the times when I pass the X-Forwarded-For:1 I have … Upgrade-Insecure-Requests: 1 Origin: https://asdsdasdasd.web-security-academy.net Content-Type: application/x-www-form-urlencoded … asdsdasdasd.web-security-academy.net/login Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 X-Forwarded-For

LAB: Exploiting HTTP request smuggling to perform web cache poisoning

I'll past the request: POST / HTTP/1.1 Host: victimhost Content-Type: application/x-www-form-urlencoded … postId=1 HTTP/1.1 Host: exploitserver Content-Type: application/x-www-form-urlencoded Content-Length

Logic error in lntruder module

KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded … KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded … time, but I really only want to encrypt the second field, password,Please see the attached screenshot for

can't solve lab 'Exploiting time-sensitive vulnerabilities' - invalid token

i got vary miliseconds for both requests POST /forgot-password HTTP/2 Host: 0af100d8041a969e80e33fd60088007d.web-security-academy.net … 0af100d8041a969e80e33fd60088007d.web-security-academy.net Dnt: 1 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded … 0af100d8041a969e80e33fd60088007d.web-security-academy.net Dnt: 1 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Send request in the same connection turbo intruder

req POST / HTTP/1.1 Host: example.com Connection: keep-alive Content-Type: application/x-www-form-urlencoded … ) seqReq = """GET /redirect HTTP/1.1 Host: example.com """ for

Bug in Site map tab while showing only items in scope.

For example: With only the filters: Hidding not found items; hidding empty folders browse to the URL … www.sapo.pt In the scope I have reg exp with: Protocol: HTTP Host or IP: ^www\.microsoft\.com$

lab question

<form id="my_form" action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded"> … appendChild(inp); document.getElementById('my_form').submit(); }); </script> this is my payload for

use burp suite

https://www.?elp.com

Burp scanner ignores scan configuration exclusion lists

/my_profile;jsessionid=560423289919l0e2g6f88f71qjg4xp1z2uwc408389.5604232899 HTTP/1.1 Host: www..... … Connection: close Content-Length: 3002 X-Single-Page-Navigation: true Origin: https://www.....

An incorrect example in the "Exploiting HTTP request smuggling" section on the Web Security Academy.

Transfer-Encoding: chunked 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … supposed to be: 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

HTTPRQ Lab - Exploiting HTTP request smuggling to deliver reflected XSS

without disabling the "Update Content Length" setting, so it's reasonable this is a possible cause for … HTTP/1.1 Host: ac231f491feb99a4807c00a50038000f.web-security-academy.net Content-Type: application/x-www-form-urlencoded … After sending this request a few times, the response should hand for a few seconds while I assume the … HTTP/1.1 Host: ac231f491feb99a4807c00a50038000f.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Broken chunked-encoding

like Gecko) Chrome/88.0.4324.150 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded … keep-alive 96 GET /404 HTTP/1.1 X: x=1&q=smugging&x= Host: example.com Content-Type: application/x-www-form-urlencoded

Valid XSS not reporting in issues ? Is it me?

max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://testphp.vulnweb.com Content-Type: application/x-www-form-urlencoded … -- InstanceBeginEditable name="content_rgn" --> <div id="content"> <h2 id='pageName'>searched for:

HTTP Request Smuggling POST Request with Body

I'm having difficulty exploiting it and am looking for guidance on how to smuggle my POST data in a request … a GET request: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded … For example if I want to smuggle the following request my prefix variable is set to: '''POST /search … expectation is that if request smuggling works is that one of the poisoned responses would return the data for

Authentication Multi factor lab - 2FA Broken Login

Hi, I've been trying to solve this lab for a while without success. … I'm not receiving the 302 Found message for verify=Carlos. … q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … ------------------------------------------------------------------- I'm dividing the brute force for

BurpSuite Proxy Listener, Mac OS and Chrome not playing nice together

BurpSuite by attacking a local instance of WebGoat (intentionally-vulnerable web app at https://owasp.org/www-project-webgoat … I am on a MacOS (important) and using Chrome for the browser. … I Add a new Proxy Listener, and set it to Loopback for port 8080. … I check the box for HTTP proxy and enter 127.0.0.1:8080.

Adding X-Forwarded-For to bypass IP based brute force protection

https://acaf1f021f283a268092b4c2004c008d.web-security-academy.net/login Content-Type: application/x-www-form-urlencoded … X-Forwarded-For:127.0.0.1 Content-Length: 66 Connection: close Cookie: session=z4VDyMjyIL1hiZkh1J78iceO9t4VndLw … 2hCS8v3SGzAz9gWhsu7XyB3GpCi6AKvo&username=adada&password=dada Even though I have added the X-Forwarded-For

Whatever value for the X-Forwarded-For header i am using I am getting the too many attempts message … q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … web-security-academy.net/login Upgrade-Insecure-Requests: 1 Te: trailers Connection: close X-Forwarded-For

Lab: Exploiting HTTP request smuggling to capture other users' requests

HTTP/1.1 Host: ac4f1f861e1580afc0ad62b3000a0048.web-security-academy.net Content-Type: application/x-www-form-urlencoded … Transfer-Encoding: chunked Content-Length: 251 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Audit Item Status shows " Error Request time out and Unknown Errors "

But even though active scan has been stalled for long time. … like Gecko) Chrome/84.0.4147.125 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded … 21Y4&9ijeh=x 1 Z Q Issue2: I have already dropped the mail to support with Screen shots for

XSS False positive

Tx for the great tool, Best regards, Joel Example: POST /path HTTP/1.1 Host: fitnhotel.fr … fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded

Handling multipart requests with Montoya API

request that looks like this: POST /something HTTP/1.1 Host: whatever Content-type: application/x-www-form-urlencoded … Now I want to achieve a similar conversion for multipart/form-data requests. … There are three items in burp.api.montoya.http.message.HttpRequestResponse.request().parameters() for … of handling multipart parameters, so I can extract the data necessary to build something like this for

Burp Extension CSRF Token

it will automatically grab the last response csrf token and insert it into the HTML header parameter for … I was able to parse out the CSRF token received from the server in the response; however, for the request … cookie values are set here Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Incorrect Issue Type/Advisory Finding & Remediation

As such, it is recommended to set the header as X-XSS-Protection: 0" Reference https://owasp.org/www-project-secure-headers

Modifying serialized objects

this - Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www … /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4.

Mystery lab challenges that require to submit solution seem to be broken

Example for the "CORS vulnerability with trusted insecure protocols" - for better visibility below requests … HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Content-Length: 39 Content-Type: application/x-www-form-urlencoded … function at XMLHttpRequest.verifyAnswer (submitSolution.js:19:45) I've seen the same thing for

Unable to write in all kind of inputs after a while

Hi John, Thanks a lot for the feedback. … That is currently OpenJDK 14.0.2+12-46. Does your issue persist with this Java version?

Username enumeration via response timing: not getting response using repeater with X-Forwarded-For

I'm working on "enumeration via response timing" lab, when I'm using repeater to send an X-Forwarded-For … Origin: https://ace11f691fef2ad580c703dd004a00c5.web-security-academy.net Content-Type: application/x-www-form-urlencoded … deflate Accept-Language: en-US,en;q=0.9 Cookie: session=6jSvJpIgS6Oyz5v3haB4OZvwJpprt9Jr X-Forwarded-For

Lab: Reflected XSS protected by very strict CSP, with dangling markup attack

We believe that we have a new way to solve the lab but are currently running a small competition for … s=46 We will update the official written solution in due course.

how to add X-Forwarded-For and what is columns in Lab Username enumeration via response timing

You can, and need to, manually insert the "X-Forwarded-For:" header into the POST like this: POST … ,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Forwarded-For … : 203.0.113.8 <---- INSERT HERE AND REMOVE THIS COMMENT Content-Type: application/x-www-form-urlencoded … Admins: the main issue I had is in the solution, it states in step 2: "Identify that the X-Forwarded-For … The issue with this is HOW do we identify that X-Forwarded-For is supported, there is nothing in the

Hey, I'm having an error when launching payload

id=wiener Content-Type: application/x-www-form-urlencoded Content-Length: 117 Connection: close Cookie … when calling his office <example os > specifically, an error comes up No handlers could be found for

Issue with "Reflected XSS protected by very strict CSP, with dangling markup attack" lab

Hi, You are correct, some recent Chrome updates have broken the current solution for this lab. … s=46 We will update the official solution in due course.

Lab #5: CSRF where token is tied to non-session cookie & Lab #6: CSRF where token is duplicated in cookie issues

For example, for your email value, use something like "asdf@asdf.asdf".

/change-email" method="POST"> <input type="hidden" name="email" value="exploit2@exploit&#46

my-account/change-email" method="POST"> <input type="hidden" name="email" value="testemail@email&#46

make my private collaborator server works well

host.localdomain startcollab.sh[8806]: 2020-03-23 13:40:21.021 : Received DNS query from [123.456.789.012] for … host.localdomain startcollab.sh[8806]: 2020-03-23 13:40:21.070 : Received DNS query from [123.456.789.012] for … host.localdomain startcollab.sh[8806]: 2020-03-23 13:40:22.830 : Received DNS query from [58.217.249.155] for … [polling.my.collab.com] containing no interaction Mar 23 13:46:27 host.localdomain startcollab.sh[8806 … ]: 2020-03-23 13:46:27.808 : Received DNS query from [123.456.789.012] for [my.collab.com] containing

Lab: CSRF vulnerability with no defenses

The below works for me: <form method="POST" action="https://<LAB-ID>.web-security-academy.net/email … /change-email"> <input type="hidden" name="email" value="test@test.com"> </form> <script

web-security-academy.net/email/change-email"> <input type="hidden" name="email" value="test@test&#46

Academy : Is there a Newbie "Academy 101" How to document / URL

track I really need a pointer to option 2 - practise - Can I use Burp Suite Community Edition for … Create a VM, Install ABC on it, point off to www. … <some academy URL>.com and then watch this video (yes there is on on this) for trying your first scan … Sorry if this is simplistic for most people who come here.. but like Michaelangelo at 87 - I'm still

Lab: HTTP request smuggling, basic CL.TE vulnerability

HTTP/1.1 Host: 0a90006303d9bbc387c5700800820036.web-security-academy.net Content-Type: application/x-www-form-urlencoded

0a3500f90359495b811ec02e002700bc.web-security-academy.net\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded

Add a processing rule

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36 Content-Type: application/x-www-form-urlencoded … Do I need to add a processing rule for hashing and SHA-256? … For example: "Incorrect username or password.

Burp Scaner with form credentials

The Content-Type is: application/x-www-form-urlencoded

SSO with microsoftonline.com

originalRequest rQIIAUXXXXXGm-XXXX....rP4C0 username USER@ENTERPRISE_OFFICE_DOMAIN.com This prompts for … sXXX0T-HXXXxb-FXXXH_cfXXX6-KHXXXX81&cbcxt=&username=USER%40ENTERPRISE_OFFICE_DOMAIN.com&mkt=&lc= with a www-form-urlencoded … ENTERPRISE_OFFICE_DOMAIN.com mkt lc This is followed by a POST to ttps://login.microsoftonline.com/login.srf with www-form-urlencoded

Same site, two different authentication methods (Basic first, then NTLM)

For the sake of example, let's call the site: proxied.site.com When you first connect to the site, … you're redirected to the BIG-IP's proxied.site.com/my.policy page, which wants Basic WWW authentication

solved the lab and not appearing as solved

For what it is worth, the following payload allows me to solve this lab: <html> <! … 0a36000604cbe09885b0273600be00ce.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="test7@hotmail&#46

how do we calculate value for tranfer encoding??

username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length

Upload File to Burp Collaborator

Hi, It looks like you are trying to achieve what is described in the articles below: - https://www

In laboratory work, a request for a collaborator is not sent

Hi Andrii, To confirm, some Chrome updates have broken the current solution for this lab. … s=46 We will update the official solution in due course.

Lab: HTTP request smuggling, basic CL.TE vulnerability

Connection: keep-alive Content-Length: 10 Transer-Encoding: chunked Content-Type: application/x-www-form-urlencoded

Lab: CL-TE request smuggling lab is not working with the official solution.

0ac000af04eed935c3233d650017001f.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Lab: CL-TE request smuggling lab is not working with the official solution

HTTP/2 Host: 0a6f004904bb0b7282f5067100c70057.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Lab: 2FA bypass using a brute-force attack

For this lab "Lab: 2FA bypass using a brute-force attack", the solution is great, totally understand … However, I am in Australia, and the latency for the 3 steps to refresh the session is around 4 seconds … Also, I'd love to see a Turbo Intruder solution for this, and how to build in the 3 steps to refresh … q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … <h2>Session expired</h2> <p>The session you are looking for

+ '/login' urlForTokenPage = url + '/login2' headerObj = { "Content-Type": "application/x-www-form-urlencoded … runThread(): threadArr = [] with ThreadPoolExecutor(max_workers=8) as executor: for … threadArr.append(executor.submit(token)) concurrent.futures.wait(threadArr) if False: for … print(task.result()) runThread() ''' def main(): tokenArr = [str(i).zfill(4) for

Unable to solve: Lab: Exploiting HTTP request smuggling to perform web cache poisoning

/1.1 Host: abcdabcdabcdabcdabcdabcdabcdabcde.web-security-academy.net Content-Type: application/x-www-form-urlencoded … 1.1 Host: exploit-exploitexploitexploitexploitexpl.exploit-server.net Content-Type: application/x-www-form-urlencoded

HTTP1.1 replaced by HTTP/2 in response header?

Every time I send POST / HTTP/1.1 Host: ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Problem with "Lab: HTTP request smuggling, basic CL.TE vulnerability"

Thanks for your help!!! … <br/><br/>Please refer to the following posts for further information: <br/><a href="https://portswigger.net … oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded … oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded … See error pane for stack trace.

"Lab: HTTP request smuggling, basic TE.CL vulnerability" need help in understanding

HTTP/1.1 Host: ac2f1f0e1ea3d02180733e8600de008b.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Server-side pause-based request smuggling ISSUE

web-security-academy.net Cookie: session=mAbLimPqmVB5vNGU7notqlDu7ZCsW8O4 Content-Type: application/x-www-form-urlencoded

0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Auditing not calling doActiveScan(...) method via Extensibility API

Hi, Thanks for your reply. … q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8000/ Content-Type: application/x-www-form-urlencoded

Incorrect path reported in target sitemap

resource in directory which name is in hiragana (other non-ascii characters are probably problematic too), for … example '<link rel="stylesheet" href="あ/style.css" />': # mkdir www # echo '<! … meta charset="utf-8"><link rel="stylesheet" href="あ/style.css" /></head><body>test</body></html>' > www … /www:/usr/share/nginx/html:ro -p 5000:80 -d nginx 2) browse through Burp to the created webpage (http

Exploiting HTTP request smuggling to perform web cache deception NOT WORKING

HTTP/1.1 Host: ac921f9e1e43510980d00f8c0079000b.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Apple silicon (M3) and Burp Suite Pro crash at launch

14.1.1 and as you can see from the logs, there is some kind of warning, namely: 2023-11-19 09:46 … :35.172 java[4138:107050] WARNING: Secure coding is automatically enabled for restorable state!

CSRF Labs are buggy not working

Hi Manish, If it helps, this is the exploit I am using for the lab 'CSRF where the token is duplicated … my-account/change-email" method="POST"> <input type="hidden" name="email" value="test3@hotmail&#46

Decoding Gzip/Deflate issues

For example this packet: OST /tracker-api/tracker/trackerLog HTTP/1.1 Connection: close Content-Type … : application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; U; Android 6.0; en-au; 5044T Build

Lab: CSRF where token is not tied to user session

Have you tried watching the community solution video for further guidance: https://www.youtube.com/watch … my-account/change-email" method="POST"> <input type="hidden" name="email" value="blah78@blah&#46

Can't pass the "CSRF with broken Referer validation" lab even if my solution works

my-account/change-email" method="POST"> <input type="hidden" name="email" value="attacker10@test&#46

I cannot get the lab to solve, tried to look up several youtube walkthroughs for it as well that come … change-email" method="POST"> <input type="hidden" name="email" value="test2@exploit&#46

i have a problem with Lab: CSRF where token is tied to non-session cookie

click on view exploit it say invalid csrf token when i check the burp i saw that csrf key was still for … my-account/change-email" method="POST"> <input type="hidden" name="email" value="crack2@gmail&#46

HTTP Request Smuggler doesn't work

Thanks for the reply. I tried reinstalling and there was no error. … request with key https0a59006803c8cfd8815d6b8d007700a0.web-security-academy.netGET200HTML: 1 of 1 in 46 … requests =========================================== Other than that, I have no specific settings for … Thank you for your response.

TE.CL smuggling labs - official solutions do not work

Connection: keep-alive Transfer-Encoding: chunked 5b GLOOL / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

'Drop all out-of-scope requests' not behaving as expected

Add an entry, protocol 'Any', Host or IP range '^www\.google\.com$', leave the rest blank 3.

Missing PHP Code Injection Detection

module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie

Issue with "Reflected XSS protected by very strict CSP, with dangling markup attack" Lab

I understand that the current solution for this lab is broken because of Chrome's recent updates. … Here's my payload for reference: ``` <script> location = 'https://0a49005803315b4185f35e92000600e2 … Origin: https://0a49005803315b4185f35e92000600e2.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Lab: CSRF where token is tied to non-session cookie

Cookie: session=**************; csrfKey=************************* Content-Type: application/x-www-form-urlencoded … session=*******************; csrfKey=<<"obtained CSRF cookie HERE">> Content-Type: application/x-www-form-urlencoded

Web Security Academy Issue

For instance "http:/mdsec.net.auth/16/" or "http:/mdsec.net.auth/46/" and all the other links with different

Lab: CSRF vulnerability with no defenses

Hello, going through the lab https://portswigger.net/web-security/csrf/lab-no-defenses, for some reason … web-security-academy.net/email/change-email"> <input type="hidden" name="email" value="test@test&#46

Please review the victim automation for this and other labs. … /change-email" method="POST"> <input type="hidden" name="email" value="wiener@exploited&#46

macOSX V11.2 Big Sur, OWASP BWA and Virtual box--Home Hacking CyberSec Lab

The instructions for installing were relevant to older versions of Virtualbox and older versions of the … r140961 (Qt5.6.3) OWASP BWA = Latest available from Sourceforge, links are in the book and a quick WWW … You can set the the amount of resources that you want for the VM, so don't sweat that too much, except … for the Networking....set that to Bridged Adapter.

Burp's CA certificate is expired

PortSwigger, OU=PortSwigger CA, CN=PortSwigger CA Validity Not Before: Feb 25 10:46 … :51 2014 GMT Not After : May 5 09:46:51 2022 GMT Subject: C=PortSwigger, ST=PortSwigger

Turbo Intruder error

Hi everyone, I've just downloaded Turbo Intruder and was about to use it for the first time. … I chose one of the easiest lab for this purpose: https://portswigger.net/web-security/authentication … Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … requestsPerConnection=100, pipeline=False ) for … script: https://raw.githubusercontent.com/PortSwigger/turbo-intruder/master/resources/examples/debug.py For

2FA bypass using a brute-force attack

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Lab: HTTP request smuggling, basic CL.TE vulnerability (Help for a noob)

1.1 Host: yourclientid.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Disable content type changes

further investigation it appears to be a result of Burp rewriting the content type from 'application/x-www-form-urlencoded

Problem about CSRF lab: SameSite Lax bypass via method override

portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override For … my-account/change-email" method="POST"> <input type="hidden" name="email" value="hello@gmail&#46

Burpsuite error or using incorrectily

0 Upgrade-Insecure-Requests: 1 Origin: https://www.kkkkkkkk.com Content-Type: application/x-www-form-urlencoded

Excel Macro & Burp

compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded

Burp Academy: Lab: Authentication bypass via encryption oracle, Missing Error Messages

Instead of the error message, the response now contains the decrypted stay-logged-in cookie, for example … id=wiener">My account</a> //line no. 46 Can you please take a look into this to solve the error. … Thanks for looking into it.

Allowing the symbol "&" to be part of a string, instead of being something else

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded

Lab: CSRF where token is not tied to user session

I did this lab for more than 20 times, but still it is not being shown as solved. … 2 minutes after clicking "Deliver it to Victim" , i clicked on "View Exploit", and it worked for logged … my-account/change-email" method="POST"> <input type="hidden" name="email" value="aefae@eaf1234&#46

Password reset poisoning Lab issue

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:46 … User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:46

usuario: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0 " 2021-01-18 07:55:46

Unable to build http request with header

103.0.5060.134 Safari/537.36, Connection: close, Cache-Control: max-age=0, Content-Type: application/x-www-form-urlencoded

Getting error in DotNet GraphQL application trying to use Create Schedule Item

The input should look something like your first example: {site_id: "46", schedule: {rrule: "", initial_run_time

Exploit Server

my-account/change-email" method="POST"> <input type="hidden" name="email" value="testing@gmail&#46

Lab: 2FA bypass using a brute-force attack doesn't get me a 302

Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded … Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

i solve the lab CSRF where token validation depends on token being present but i site dont show lab solved

my-account/change-email" method="POST"> <input type="hidden" name="email" value="etroon@gmail&#46

Private collaborator server not starting with valid certificates

to deploy a private burp collaborator instance and hitting the following error message: May 23 20:46 … :28 collab java[16727]: 2022-05-23 20:46:28.898 : Using configuration file /etc/collaborator.config … May 23 20:46:29 collab java[16727]: 2022-05-23 20:46:29.077 : No certificate options specified, and we … failed to retrieve the name of the local host to create a self signed certific May 23 20:46:29 collab … at burp.dp.a(Unknown Source) May 23 20:46:29 collab java[16727]: at burp.y6.

the lab dont solve when i click on deliver exploit to victem but its all good dont know the problem

hidden" name="_method" value="POST"> <input type="hidden" name="email" value="Crack@gmail&#46

Active Scan insertion point types & other bugs

I found some issues with the insertion point types setting for active scans. … -The request is very simple - just the header and the form data for the ajax function we are calling … -I disabled all insertion point types for the scan. ------------------------------------------- PPOST … Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT content-type: application/x-www-form-urlencoded … This causes a lot of unnecessary confusion and issues (at least for me).

JRE Warning

The current JRE that is packaged with the platform/installer version of Burp is OpenJDK 14.0.2+12-46

Turbo Intruder: always updating Content-Length header

attack = '''POST / HTTP/1.1 Host: example.com Content-Length: 4 Transfer-Encoding : chunked 46 … For the above script (attack) to work, it's imperative that the 'Content-Length: 4' in the 'attack' request

Lab: Web cache poisoning via ambiguous requests

0aca000f040f309581f4970d014d00cd.exploit-server.net Cookie: session=IFSGVxw3eL6Dvz9lpgELIY7VUo8grQkn; _lab=46% … exploit-0aca000f040f309581f4970d014d00cd.exploit-server.net</h1></body></html> Thank you in advance for

Intruder only works after repeater...sort of

Upgrade-Insecure-Requests: 1 Origin: https://um-auth-qa.auth.eu-west-1.amazoncognito.com Content-Type: application/x-www-form-urlencoded

solved lab show not solved

my-account/change-email" method="POST"> <input type="hidden" name="email" value="test3@hotmail&#46

web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="testt@gmail&#46

Password Reset Poisoning via Dangling Markeup

Origin: https://0a3100a703b733a780cdd52400fa00cc.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Bug in the lab: CSRF where token is duplicated in cookie

my-account/change-email" method="POST"> <input type="hidden" name="email" value="ham@di&#46 … my-account/change-email" method="POST"> <input type="hidden" name="email" value="ham@di&#46

Different results Automated Scan vs Manual Active Scan

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Cannot solve lab "CSRF where token is duplicated in cookie"

change-email" method="POST"> <input type="hidden" name="email" value="wiener@normal-user&#46

CSRF where token is duplicated in cookie

my-account/change-email" method="POST"> <input type="hidden" name="email" value="weiner@evil&#46 … this changes the email on the lab but iv not got my banner, could someone tell me what iv done wrong, for

Error In php Code

Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Locked due to many failed login attempts as soon as i scan my application

=0 Origin: https://test2.tstraining.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Browser receives "HTTP/1.0 200 Connection established" from BURP which received "HTTP/1.1 404 Not Found"

Accept-Language: en-CA,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded … Accept-Language: en-CA,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Burp Scanner does not recognize Open Redirect

DEADBEEF6B690E7B865A46CDDEADBEEF.aa_bbb_1_cc_0 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

302 Redirect Not Picking Up Cookies

server response where i am not getting "Follow Redirection" 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46 … of server response where i am getting "Follow Redirection" 48 54 54 50 2f 31 2e 31 20 33 30 32 20 46

Is it possible to send request from a password reset post to forward to a different email

Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://example.com Content-Type: application/x-www-form-urlencoded

Lab: SameSite Lax bypass via cookie refresh

change-email" method="POST"> <input type="hidden" name="email" value="wiener1@normal-user&#46

Paused-Based Desync Detection reporting HTTP/2 requests

Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 332 Content-Type: application/x-www-form-urlencoded

Lab: CSRF where token validation depends on request method

web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="hacka@a&#46

Burpsuite Pro 8.4 (64-bit linux) doesn't start up properly

Distributor ID: Ubuntu Description: Ubuntu 20.04.5 LTS Release: 20.04 Codename: focal Linux 5.15.0-46

Lab: Exploiting XXE using external entities to retrieve files

13 Cookie: session=aDJvRrAxYrf804mh6rJzMmjl2195R7IN Connection: close Content-Type: application/x-www-form-urlencoded

Burp Suite Professional 2020.7 macOS Mojave 10.14.6 (18G6020) Crashing

Burp worked fine for a few days at first now it crashes every time I try to run the program. … JavaApplicationStub [691] User ID: 503 Date/Time: 2020-07-20 23:46

SameSite Lax bypass via cookie refresh problem the thing is that my exploit its ok when i check the view exploit but when i deliver it wont work

my-account/change-email" method="POST"> <input type="hidden" name="email" value="red@gmail&#46

handshake failure using strong cipher suites

TLSv1.2 -jar /path/to/burpsuite_free_v1.7.10.jar the generated cert is still SHA1withRSA: found key for … , L=London, ST=London, C=GB SerialNumber: [ 00] So I compiled a simple Java HTTPS Server for … testing, created a cert for it with keytool (1024bit RSA AND SHA1with RSA) and guess what - hand shake … smoothly: *** ClientHello, TLSv1.2 RandomCookie: GMT: 1883716619 bytes = { 200, 13, 147, 243, 106, 46

Lab is showing as unsolved even after solving it properly.

change-email" method="POST"> <input type="hidden" name="email" value="attacker005@gmail&#46

problem

change-email" method="POST"> <input type="hidden" name="email" value="attacker4444@gmail&#46

Lab: Username enumeration via response timing - ("X-Forwarded-For:" not working)

Hi, the "X-Forwarded-For:" header is not working, I tried to do lot of researches but no luck. … Origin: https://ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net Content-Type: application/x-www-form-urlencoded … login Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close X-Forwarded-For

Exploiting HTTP request smuggling to perform web cache poisoning - Failing to go to "Solved" status

HTTP/1.1 Host: 0a16007d0305e2b380340869000b001a.web-security-academy.net Content-Type: application/x-www-form-urlencoded … 1.1 Host: exploit-0a190088031de26f8094071201cb00b9.exploit-server.net Content-Type: application/x-www-form-urlencoded

CSRF where token validation depends on request method

my-account/change-email" method="POST"> <input type="hidden" name="email" value="wiener4@user&#46

Lab: SameSite Lax bypass via method override

hidden" name="_method" value="POST"> <input type="hidden" name="email" value="test20@test&#46

Port 25 needed for new SMTP Checks on Private Collaborator Server?

DNS on <ip>:5353 2016-11-21 06:08:05.667 : Listening for HTTP on <ip>:8080 2016-11-21 06:08:05.678 … : Listening for SMTP on <ip>:2525 2016-11-21 06:08:05.688 : Listening for HTTP on <ip>:9090 2016-11 … -21 06:08:05.992 : Listening for SMTPS on <ip>:4465 2016-11-21 06:08:05.996 : Listening for HTTPS on … <ip>:8443 2016-11-21 06:08:06.004 : Listening for HTTPS on <ip>:9443 I attempted to send both 25 … My iptables config: [root@ip-172-30-1-46 burp-collaborator]# iptables -t nat -S -P PREROUTING ACCEPT

How can I send request from a password reset post to forward to a different email

Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://example.com Content-Type: application/x-www-form-urlencoded

CA certificate not working

SHA signature - B4:9C:60:45:4E:27:52:95:11:D1:F4:71:EF:46:3C:6C:EB:A9:86:CB:3B:48:AA:28:77:A5:45:86:8B

Exploiting Ruby deserialization using a documented gadget chain

51%48%4e%77%5a%57%4e%76%4f%68%74%48%5a%57%30%36%4f%6c%4e%30%64%57%4a%54%63%47%56%6a%61%57%5a%70%59%32%46% … 30%61%57%39%75%42%6a%6f%52%51%47%78%76%59%57%52%6c%5a%46%39%6d%63%6d%39%74%53%53%49%67%66%48%4a%74%49% … 63%6d%78%76%63%79%39%74%62%33%4a%68%62%47%55%75%64%48%68%30%42%6a%6f%47%52%56%52%76%4f%77%67%41%4f%68%46%

Unable to filter X-Forwarded-Host with Param Miner Burpsuite Professional v2024.5.5, Lab: Password reset poisoning via middleware

Origin: https://0a39009804c89ab28091da0d004800b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded

[Burp Enterprise] UI is unusable when a big-ish amount of sites are configured

burpsuite_enterprise/enterpriseServer/2022.1-8887 Logs: /var/log/BurpSuiteEnterpriseEdition Log disk space: 46

Lab: Host header authentication bypass seems broken

send the request from repeater, like this one: GET /admin HTTP/1.1 Host: 192.168.0.1 Cookie: _lab=46%

Host header not present - Password reset poisoning via middleware

Origin: https://aca81fc11fb90044c029b70c00d3002f.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP Request Smuggler: Error in thread: Can't find the header: Connection. See error pane for stack trace.

Thanks for your reply. No. This particular error is not for the lab. … See error pane for stack trace. … Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded

Burp 2.0.14 install4j error.log

<init>(ScreenEnvelope.java:46) at com.install4j.runtime.installer.frontend.WizardScreenExecutor$3.run

CSRF labs exploit server delivery doesn't work

my-account/change-email" method="POST"> <input type="hidden" name="email" value="exploit@carlos&#46

Lab Not Responding

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" 172.31.31.23 2020-07-08 08:46

Burp Suite Version Update Issue on Google Cloud

burpsuite_pro_macos_arm64_v2022_8_4.dmg, fileSize=235554672}]}]} [ForkJoinPool.commonPool-worker-3] 2022-09-15 10:19:46 … errorMessage=null, eulaVersion=null, eulaContent=} [ForkJoinPool.commonPool-worker-3] 2022-09-15 10:19:46 … HttpClient@770cbe5d-18] 2022-09-15 10:20:44 INFO bsee.server.alerts.AlertReporter - Sending email for … RUNNING] 2022-09-15 10:29:24 INFO b.s.s.e.EphemeralScanCleanupService - Deleting job and resources for

Lab CORS vulnerability with trusted null origin: CORS missing allow origin

}, { "name": "Content-Type", "value": "application/x-www-form-urlencoded … [], "headersSize": 746, "postData": { "mimeType": "application/x-www-form-urlencoded

Exploiting PHP deserialization with a pre-built gadget chain payload

Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Stage 2 of Practice exam with SQLMAP 1.7.2

application/signed-exchange;v=b3;q=0.7' \ -H 'accept-language: en-US,en;q=0.9' \ -H 'cookie: _lab=46%

Version 2023.9.1 and 2023.10.2 does not include <vulnerabilityClassifications> in the xml and html reports generated using sparky

v --location 'http://<burp_vm IP>:<SparkyPort>/sparky/report' --header 'Content-Type: application/x-www-form-urlencoded

How do I configure python to proxy through BurpSuite for https?

I have generated and installed a certificate for Burp in my Mac's keychain. … contain an absolute URL - try enabling invisible proxy support&#46

How to install burp suite properly. Java error during installtion.

com.install4j.runtime.installer.Installer.runInProcess(Installer.java:60) at com.install4j.runtime.installer.Installer.main(Installer.java:46

During installation of Enterprise Edition on Ubuntu Linux - setting ownership error

Edition on your computer WARNING Your machine does not appear to meet the minimum system requirements for … For a proof-of-concept installation that can run one scan at a time, we recommend using a machine with … For more information, please refer to the system requirements documentation. … com.install4j.runtime.installer.Installer.runInProcess(Installer.java:61) at com.install4j.runtime.installer.Installer.main(Installer.java:46 … com.install4j.runtime.installer.Installer.runInProcess(Installer.java:61) at com.install4j.runtime.installer.Installer.main(Installer.java:46

Latest Kali Linux Install Failure

com.install4j.runtime.installer.Installer.runInProcess(Installer.java:60) at com.install4j.runtime.installer.Installer.main(Installer.java:46

not able to view log data properly

my internal purpose) 2020-12-16 07:21:46 +0000 "GET / HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Windows … my internal purpose) 2020-12-16 07:21:46 +0000 "GET /resources/css/academyLabHeader.css HTTP/1.1" 200 … my internal purpose) 2020-12-16 07:46:50 +0000 "GET / HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (Windows … my internal purpose) 2020-12-16 07:46:52 +0000 "GET /resources/images/logoAcademyDark.svg HTTP/1.1" … my internal purpose) 2020-12-16 07:46:52 +0000 "GET /resources/images/ps-lab-notsolved.svg HTTP/1.1

resources for developing plugin for beginers

Is there a resource for creating a basic plugin step by step including a project setup for java/python

Crashing while actively scanning or crawling

Im attaching the debug logs for more info. … false, block=22, wait=543 lock=java.lang.ref.ReferenceQueue$Lock@51307dfe owned by null (-1), cpu=46 … wait=17 lock=java.util.concurrent.SynchronousQueue$TransferStack@68cf2c3f owned by null (-1), cpu=46 … wait=21 lock=java.util.concurrent.SynchronousQueue$TransferStack@2749e1c9 owned by null (-1), cpu=46 … wait=18 lock=java.util.concurrent.SynchronousQueue$TransferStack@68cf2c3f owned by null (-1), cpu=46