Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Academy: Lab: Authentication bypass via encryption oracle, Missing Error Messages

Robert | Last updated: Jan 12, 2022 01:49PM UTC

Im trying to complete the lab: "Authentication bypass via encryption oracle" without success. I followed the regular solution, as well the community based video, but it seems, that i dont receive any error messages, when i try to cut the encrypted base64 notification cookie and decrypt it (step 9 in the regular solution). Instead, i receive a HTTP 200 with the "notification-header" tag empty. Can someone reproduce this issue?

Rick | Last updated: Jan 12, 2022 08:38PM UTC

Hey Robert, I was going to post this as well because I've been seeing this issue for 3 days now. Issue is as you mention, there are no error messages when the notification input is 'corrupt'. (e.g., removing any byte(s) from the encrypted notification token do not result in a helpful error message). Kind regards, Rick

Michelle, PortSwigger Agent | Last updated: Jan 13, 2022 08:42AM UTC

Hi both Thanks for takign the time to get in touch and highlight this one. We are already aware of it and are working on a fix. I'll post back here when the fix is released.

Michelle, PortSwigger Agent | Last updated: Jan 28, 2022 11:02AM UTC

Hi We have fixed the issues in this lab so you should now see the error message mentioned in step 9.

Roland | Last updated: Nov 12, 2023 07:22PM UTC

Hello, I am having this problem. I followed the regular solution and notification-header tag is returning empty. For reference, this is the request that I used: GET /post?postId=9 HTTP/2 Host: 0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net Cookie: notification=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d; session=kSZaA9PkoKobBe0ONb8Ubkszj19wfwbi; stay-logged-in=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net/post?postId=9 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers

Michelle, PortSwigger Agent | Last updated: Nov 13, 2023 09:32AM UTC

Hi Can you describe the steps you took when obtaining a stay-logged-in cookie to paste in as the notification cookie?

Carson | Last updated: Jul 07, 2024 01:28PM UTC

This lab is still having the same issue as: Roland | Last updated: Nov 12, 2023 07:22PM UTC Hello, I am having this problem. I followed the regular solution and notification-header tag is returning empty. For reference, this is the request that I used: GET /post?postId=9 HTTP/2 Host: 0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net Cookie: notification=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d; session=kSZaA9PkoKobBe0ONb8Ubkszj19wfwbi; stay-logged-in=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net/post?postId=9 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers The steps taken reflect the ones from the guides/solutions provided. The lab is broken

Carson | Last updated: Jul 07, 2024 01:43PM UTC

When submitting this request, the notification parameter vanishes and is never reflected in response.

Ben, PortSwigger Agent | Last updated: Jul 08, 2024 08:31AM UTC

Hi Carson, I have just replied to the email that you have sent us about this issue - it would probably be more useful to follow up there so that you can attach screenshots etc. We look forward to hearing from you in due course.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.