Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Academy lab "Blind SQL injection with time delays and information retrieval" times out

Alysson | Last updated: Feb 21, 2021 11:31PM UTC

In a manner similar to my other report (https://forum.portswigger.net/thread/academy-lab-blind-sql-injection-with-conditional-responses-times-out-0a70cd95), this lab also times out after about 390 requests are sent. The problem in this one is that not even Burp Pro edition will cut it. The user is required to send all requests using one thread in any case and more than 700 requests have to be sent. At some point the server starts to return a 504 response with the message "Server Error: Gateway Timeout (0) connecting to SERVER_ID.web-security-academy.net" I can safely assume this lab is broken right now. Is there something you can do to resolve this situation?

Michelle, PortSwigger Agent | Last updated: Feb 22, 2021 03:11PM UTC

Thanks for getting in touch. When you start the attack in Intruder what response times are you seeing for the majority of the responses (excluding the one where the intended delay occurs)? How many characters within the password have you identified before you start seeing the timeout messages?

Alysson | Last updated: Feb 24, 2021 06:02PM UTC

I was able to retrieve 9 characters before the 504 message was returned. I could not save the attack results so I do not know at this time what were the response times involved. I'm positive that the attack would have worked if it was somehow given enough time to complete, though.

Michelle, PortSwigger Agent | Last updated: Feb 25, 2021 03:13PM UTC