Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Academy lab "Blind SQL injection with conditional responses" times out

Alysson | Last updated: Feb 19, 2021 11:53PM UTC

This lab cannot be completed with a community edition of Burp Suite as it stands today. Due to the limit of just one thread when using the intruder function, the sheer number of SQLi requests that have to be sent and received (exactly 546 in my case)take such a long time that the server simply starts returning a 504 gateway timeout response. I was able to send 390 requests before reaching the point in which the server decides not to respond anymore. I need to perform all requests in order to extract the password required to complete the challenge. You could either extend the time the server remains online for the session or disclose that the completion of this challenge requires Burp Pro. Can this be solved?

Uthman, PortSwigger Agent | Last updated: Feb 22, 2021 03:00PM UTC

Hi Alysson, If you wait ~15 mins for the lab to reset and try again, does your issue persist?

Paul | Last updated: Mar 12, 2021 01:07AM UTC

I agree that there should be a smallprint somewhere stating completion of this lab and many others require Burp Pro. Secondly, I get that this is simulating a real event and therefore it's better to be as realistic as possible but to set a password length of 20 characters with 720 combinations to go through - on a community edition isn't going to end well. This is just my opinion and feedback on the academic resources. Again, I'm grateful for the resources to learn and I do understand that I need to find other resources to add to my knowledge but by the time I've discovered all 20 characters the lab times out and I have to do it all over again (because the password has changed).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.