Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Found 50 posts in 49 threads

Browser receives "HTTP/1.0 200 Connection established" from BURP which received "HTTP/1.1 404 Not Found"

Accept-Language: en-CA,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded ; charset=UTF-8 Content-Length: 67 Origin: https://www.XXXX.ca DNT: 1 Connection: keep-alive Referer s_vnum=15...%3D5; AMCVS_37...%40AdobeOrg=1; check=true; wz_svgmcv_idnum=92...92_5; s_cc=true; AWSELB=67 Accept-Language: en-CA,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded ; charset=UTF-8 Content-Length: 67 Origin: https://www.XXXX.ca DNT: 1 Connection: close Referer:

Last updated: May 12, 2020 08:30AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: Modifying serialized data types

%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57% 74%39 Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 ??

Last updated: Jul 19, 2023 11:43AM UTC | 8 Agent replies | 15 Community replies | How do I?

HTTP Request Smuggling

The request for "Confirming TE.CL vulnerabilities using differential responses" is given as "POST /search Content-Length: 146 x= 0 POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 11 q=smuggling". Content-Length: 146 x=POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application /x-www-form-urlencoded Content-Length: 11 q=smuggling".

Last updated: Feb 14, 2022 01:54PM UTC | 1 Agent replies | 0 Community replies | How do I?

Unable to build http request with header

103.0.5060.134 Safari/537.36, Connection: close, Cache-Control: max-age=0, Content-Type: application/x-www-form-urlencoded , Content-Length: 67] <type 'java.util.ArrayList'> the value is the same in updatedheader and

Last updated: May 09, 2023 10:43AM UTC | 1 Agent replies | 0 Community replies | Burp Extensions

Modifying serialized objects

Connection: close Cookie: session=%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67% this - Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www /index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4.

Last updated: Apr 06, 2021 03:26PM UTC | 2 Agent replies | 0 Community replies | How do I?

vulnerable yes or no

POST /dz588q90/xhr/api/v2/collector/beacon HTTP/1.1 Host: www.---------.com Origin: http://example.com : */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1410 Origin: https://www.--------.com Connection: close Referer: https://www.realself.com /search?

Last updated: Jul 05, 2021 10:20AM UTC | 0 Agent replies | 0 Community replies | How do I?

Academy Leaning Material minor mistake on "Finding HTTP request smuggling vulnerabilities" page.

the heading "Confirming TE.CL vulnerabilities using differential responses" reads as below: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Oct 08, 2021 12:52AM UTC | 0 Agent replies | 0 Community replies | Bug Reports

HTTP smuggling

For example i want to send this request to Confirming TE.CL vulnerabilities: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length: 4 Transfer-Encoding : chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Mar 03, 2022 04:04PM UTC | 2 Agent replies | 2 Community replies | How do I?

why there is an empty line after Content-Length header in http smuggle attacks?

for example : POST /search HTTP/1.1 Host: normal-website.com Content-Type: application/x-www-form-urlencoded

Last updated: Mar 21, 2022 06:13PM UTC | 0 Agent replies | 1 Community replies | How do I?

HTTP Request Smuggling POST Request with Body

response portion starts with a POST request without a body and then smuggles a GET request: POST /search HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded Content-Length Transfer-Encoding: chunked 7c GET /404 HTTP/1.1 Host: vulnerable-website.com Content-Type: application/x-www-form-urlencoded The HTTP Request Smuggler identifies two requests that are subject to smuggling: POST /search HTTP For example if I want to smuggle the following request my prefix variable is set to: '''POST /search

Last updated: May 29, 2020 08:12AM UTC | 1 Agent replies | 0 Community replies | How do I?

Parameter 'search'

LABS: Reflected XSS into HTML context with all tags blocked except custom ones No parameter 'search

Last updated: Oct 26, 2020 08:55AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Lab: CSRF where token is tied to non-session cookie

Cookie: session=**************; csrfKey=************************* Content-Type: application/x-www-form-urlencoded session=*******************; csrfKey=<<"obtained CSRF cookie HERE">> Content-Type: application/x-www-form-urlencoded Went back to the original browser, performed a search from the wiener's page and sent the resulting request search=hat HTTP/2 Host: LAB_ID.web-security-academy.net Cookie: session=****************; csrfKey search=green%0d%0aSet-Cookie:%20csrfKey=YOUR-CSRF_COOKIE HTTP/2 Host: LAB_ID.web-security-academy.net

Last updated: Aug 01, 2024 07:16AM UTC | 6 Agent replies | 8 Community replies | Bug Reports

Tabbed search

I would like to have a single search window and a possibility to perform multiple searches (and leave Preferably with an option in the user options to enable or disable tabbed search.

Last updated: Jul 06, 2022 10:26AM UTC | 2 Agent replies | 1 Community replies | Feature Requests

URL-encoded format--UTF 8

Try using the "Search" tab to search for UTF encoding.

Last updated: Nov 10, 2022 08:31PM UTC | 2 Agent replies | 2 Community replies | How do I?

Burpsuite v2021.10.3 freeze on launch (~30% chance of happening)

java 16.0.2 2021-07-20 Java(TM) SE Runtime Environment (build 16.0.2+7-67) Java HotSpot(TM) 64-Bit Server VM (build 16.0.2+7-67, mixed mode, sharing) Burpsuite v2021.10.3 Edition Windows 10 Home

Last updated: Jan 07, 2022 12:24PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Public post search

I can't find my old post and the search menu only let me go through all results from the beginning of the creation of this website.

Last updated: Jan 10, 2020 10:31AM UTC | 1 Agent replies | 0 Community replies | How do I?

Search among extensions

Howver, I'd deeply appreciate a Search feature in "Extender / BApp Store" (and possibly in the Web version

Last updated: Oct 26, 2018 11:54AM UTC | 1 Agent replies | 0 Community replies | Feature Requests

Search Functionality Results

Searching for a particular string with "Target, Repeater, Proxy, and Organizer" all checked under "Tools". It is not returning the requests that contain that string which have a Source of "Proxy." However, if I uncheck...

Last updated: Aug 11, 2023 07:34AM UTC | 2 Agent replies | 2 Community replies | Bug Reports

Lab Login Not Working

HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded HTTP/1.1 Host: ac201f5c1e42e752809e2e6200c0001f.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 272 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded zB2ywbNIdngCwKnb9VDN1oh9cfEUBoU5 csrf=rX10ZHqdOj6WbiBu0FPeeuijWtRBjA3t&postId=3&name=Carlos+Montoya&email=carlos%40montoya.com&website

Last updated: Jul 10, 2020 08:07AM UTC | 3 Agent replies | 5 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)

POST / HTTP/1.1 Host: xxx-your-lab-id-xxx.web-security-academy.net Content-Type: application/x-www-form-urlencoded It was the Repeater results in the Burp Search for "POST /" that eventually returned the API Key....wierd

Last updated: Jun 25, 2021 07:17AM UTC | 4 Agent replies | 7 Community replies | How do I?

Getting started: Failure because Firefox 67 changes always http: to https:

Firefox 67 changes every URL from http: to https: and nothing works.

Last updated: May 29, 2019 04:15PM UTC | 1 Agent replies | 0 Community replies | How do I?

Search regex extract

I'd like to have a way to have Burp Search extract all the values that match a certain regex or results a regex, saving the items without Base64 encoding, opening the file in Sublime, and using its regex search

Last updated: Nov 25, 2020 05:50PM UTC | 2 Agent replies | 0 Community replies | Feature Requests

search results value extraction

Would it be possible to add a grep value extractor, similar to what we have in intruder, to the overall search I may search for all requests with a certain value, but want to be able to see that, or another value in columns of the search window.

Last updated: Jul 10, 2017 01:37PM UTC | 2 Agent replies | 2 Community replies | Feature Requests

Missing parameter in HTTP Smuggling request lab

HTTP/1.1 Host: 0a3a008503e2d7a7c03e1b91006c0030.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded csrf=6ktYpn9gW0ue6ijaaklQqSO779HLStyO&postId=9&name=Carlos+Montoya&email=carlos%40normal-user.net&website =&comment=test The website parameter is not required, and I tried filling it too but got the same

HTTP/1.1 Host: 0abd00da04a3b710c0c4a56b002200b3.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded csrf=UtQbWwJvkk6FGXkiLVTdxoJeWdmHDZM7&postId=9&name=Carlos+Montoya&email=carlos%40normal-user.net&website

Last updated: Jun 29, 2022 02:33PM UTC | 2 Agent replies | 1 Community replies | How do I?

Search lacks scanner option

Hello, It would be very useful if there is a tickbox in Burp->Search.

Last updated: Sep 14, 2017 02:34PM UTC | 1 Agent replies | 0 Community replies | Feature Requests

Lab: Exploiting HTTP request smuggling to capture other users' requests

the lab POST / HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 256 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded your-session-token csrf=your-csrf-token&postId=5&name=Carlos+Montoya&email=carlos%40normal-user.net&website

Last updated: Apr 19, 2021 10:55AM UTC | 1 Agent replies | 0 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to capture other users' requests-- not solving

HTTP/1.1 Host: ac4f1f451ed62abd80777fe600120062.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 277 Transfer-Encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded iHYDUuNmTs9b7ShaCEmRBOelvPziCAjp csrf=uWmPlPe18wP9v3eDxqZ9LX5xhe6nez67&postId=7&name=Carlos+Montoya&email=carlos%40montoya.com&website

Last updated: May 04, 2021 08:08AM UTC | 1 Agent replies | 0 Community replies | How do I?

Filter for HTTP verbs in search

Hi guys! I was thinking that it might be useful to be able to filter searches for HTTP verbs (e.g., only POST, only GET, etc.). Thanks!

Last updated: Mar 17, 2022 08:50AM UTC | 2 Agent replies | 1 Community replies | Feature Requests

Additional Proxy History Search Filters

It would be really helpful to be able to specify proxy history searches to be limited to either requests or responses.

Last updated: Mar 19, 2019 12:38PM UTC | 1 Agent replies | 2 Community replies | Feature Requests

Search through nested values

nested insertion points for the scanner which is great but it could be very handy to be able to make search through nested values (ex: to search a string which is encoded in base64).

Last updated: Mar 07, 2018 09:57AM UTC | 0 Agent replies | 0 Community replies | Feature Requests

Crawl Website completely

Hi, I have Burp Suite Professional v2022.9.6 I am trying to crawl and audit my website (using .Net

Last updated: Nov 18, 2022 12:17PM UTC | 2 Agent replies | 1 Community replies | How do I?

Exploiting HTTP request smuggling to capture other users' requests

acc91f4d1faf6485c0b70322000b009b.web-security-academy.net Cookie: session=bWpx0z3BW0qJhvBVGo9kof3BBkwpv3qU Content-Type: application/x-www-form-urlencoded Transfer-encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Length: 600 Content-Type: application/x-www-form-urlencoded csrf=0acHrE7Vw4H9S4DGK3JRjnOWFUM72zfo&postId=9&name=test+4&email=test%40check.com&website=&comment

Last updated: Dec 19, 2022 04:36PM UTC | 7 Agent replies | 8 Community replies | How do I?

UTF-8 search not working

Could you enhance search to cover UTF-8 characters as well?

Last updated: Oct 16, 2017 10:09AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Request Smuggling - Lab does not work

HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded HTTP/2 Host: 0a77006f03accff4c0f8bd7500440032.web-security-academy.net Content-Type: application/x-www-form-urlencoded 16gRRn6OyG4I9nMQgFEQ1IzbXd7CNPE8 csrf=3fpHaW38HOFKvaNEitgqJWqjvADUgNAM&postId=7&name=qwe&email=qwe2%40qwe.com&website

Last updated: Apr 24, 2023 06:51AM UTC | 4 Agent replies | 4 Community replies | How do I?

Make Search Match better for Comparer

I noticed there is a pre-defined shortcut for "Editor: Go to next search match", which is unfortunately

Last updated: Sep 22, 2017 01:34PM UTC | 1 Agent replies | 0 Community replies | Feature Requests

File search and buttons don't work

I'm currently using the latest stable version of the Windows Desktop version. For some reason, whenever I'm trying to select a wordlist in Intruder or a session file, it doesn't work and all buttons loose all...

Last updated: Oct 30, 2023 09:45AM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Installer fails on linux

0x00007fc60e3e112c, pid=81701, tid=81702 # # JRE version: OpenJDK Runtime Environment (16.0.2+7) (build 16.0.2+7-67 ) # Java VM: OpenJDK 64-Bit Server VM (16.0.2+7-67, mixed mode, tiered, compressed oops, compressed

Last updated: Dec 07, 2021 04:59PM UTC | 2 Agent replies | 1 Community replies | Bug Reports

Restrict search in responses or requests only

awesome, it would be even more awesome if it were possible, when searching for a string, to restrict the search

Last updated: Jan 28, 2019 03:31PM UTC | 1 Agent replies | 1 Community replies | Feature Requests

False Positive Tag Rendering in Burpsuite

I was testing on a website, and found an Reflected XSS, but it seems it's only working if i open request keywords=TESTINGWKWK"><img/src/onerror=prompt(1)>&search=search Burpsuite Response: <a href="index.php resultXML=true&keywords=TESTINGWKWK"><img/src/onerror=prompt(1)>&search=search" Real Website Response JSONLD=true&amp;keywords=TESTINGWKWK%22%3E%3Cimg/src/onerror=prompt(1)%3E&amp;search=search"

Last updated: Sep 03, 2024 04:28PM UTC | 1 Agent replies | 0 Community replies | Bug Reports

Bug in Search Windows using openJDK

Hello dear portswigger team, I have an issue using the Engagement Tools -> Search options. Some times after entering the search word a suggestion window will be created as separate jwindow objects (grey box and white box with digit 1 on the screenshot) and will not be killed after the search windows That means that these additional windows are still open and running after closing the parent search window

Last updated: Oct 13, 2017 03:15PM UTC | 3 Agent replies | 2 Community replies | Bug Reports

How to Search user forum posts

don't mean to sound ignorant but I've been poking around the portswigger support site and can't find a search

Last updated: Jun 29, 2020 07:58AM UTC | 1 Agent replies | 0 Community replies | How do I?

Search feature for named repeater tabs

In addition to that, a search feature for the tab names would be great, since it (quicly) becomes tedious to search for a specific tab when you have 20, 30 or more tabs created.

Last updated: Sep 04, 2020 10:29AM UTC | 1 Agent replies | 0 Community replies | Feature Requests

Burp scan website

Burp scan website has stopped and hasn't been going on for a long time so I assume it has crashed as

Last updated: Nov 12, 2021 09:48AM UTC | 1 Agent replies | 0 Community replies | How do I?

Website Dark Mode

How do I turn on Dark Mode in PortSwigger Website?

Last updated: May 23, 2024 12:57PM UTC | 2 Agent replies | 2 Community replies | How do I?

Add "Search Bapp Store" Box

How about a search box that scans the names and description files to filter down the list.

Last updated: Dec 03, 2019 09:30PM UTC | 2 Agent replies | 2 Community replies | Feature Requests

https website isnt opening

I am running burp suit community version for couple of months in kali. I have also installed CA certificate. and it was working fine. But for couple of days its showing some problems when try to connect with https websites...

Last updated: Mar 06, 2019 08:03AM UTC | 1 Agent replies | 0 Community replies | How do I?

BurnSuite website SSL error

I have configured Firefox to used Burp as proxy and everything works fine, except for one website.

Last updated: Oct 24, 2022 09:26AM UTC | 1 Agent replies | 0 Community replies | Burp Extensions

how do we calculate value for tranfer encoding??

got confused too at first but here is how to calculate it: 1- go to a "String Length Calculator" website username=carlos HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length will get a result : 135 ..... this is in decimal 4- now go to a "decimal to hexadecimal" converter website

Last updated: Feb 02, 2022 11:53AM UTC | 2 Agent replies | 2 Community replies | How do I?

Lab: Exploiting HTTP request smuggling to capture other users' requests

HTTP/1.1 Host: ac4f1f861e1580afc0ad62b3000a0048.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Content-Length: 251 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded q5cEzGqrR8HXNm4Gdj7YeZl5lAtA2Qun csrf=pVuanGwkuFGLKWvbiMMoF2B99t9iyIwo&postId=4&name=aa&email=a%40a.com&website

Last updated: May 26, 2022 12:16PM UTC | 1 Agent replies | 0 Community replies | How do I?

Search deeper