Burp Suite User Forum

Create new post

Burp Academy: Lab: Authentication bypass via encryption oracle, Missing Error Messages

Robert | Last updated: Jan 12, 2022 01:49PM UTC

Im trying to complete the lab: "Authentication bypass via encryption oracle" without success. I followed the regular solution, as well the community based video, but it seems, that i dont receive any error messages, when i try to cut the encrypted base64 notification cookie and decrypt it (step 9 in the regular solution). Instead, i receive a HTTP 200 with the "notification-header" tag empty. Can someone reproduce this issue?

Rick | Last updated: Jan 12, 2022 08:38PM UTC

Hey Robert, I was going to post this as well because I've been seeing this issue for 3 days now. Issue is as you mention, there are no error messages when the notification input is 'corrupt'. (e.g., removing any byte(s) from the encrypted notification token do not result in a helpful error message). Kind regards, Rick

Michelle, PortSwigger Agent | Last updated: Jan 13, 2022 08:42AM UTC

Hi both Thanks for takign the time to get in touch and highlight this one. We are already aware of it and are working on a fix. I'll post back here when the fix is released.

Michelle, PortSwigger Agent | Last updated: Jan 28, 2022 11:02AM UTC

Hi We have fixed the issues in this lab so you should now see the error message mentioned in step 9.

Roland | Last updated: Nov 12, 2023 07:22PM UTC

Hello, I am having this problem. I followed the regular solution and notification-header tag is returning empty. For reference, this is the request that I used: GET /post?postId=9 HTTP/2 Host: 0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net Cookie: notification=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d; session=kSZaA9PkoKobBe0ONb8Ubkszj19wfwbi; stay-logged-in=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net/post?postId=9 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers

Michelle, PortSwigger Agent | Last updated: Nov 13, 2023 09:32AM UTC

Hi Can you describe the steps you took when obtaining a stay-logged-in cookie to paste in as the notification cookie?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.