Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Academy: Lab: Authentication bypass via encryption oracle, Missing Error Messages

Robert | Last updated: Jan 12, 2022 01:49PM UTC

Im trying to complete the lab: "Authentication bypass via encryption oracle" without success. I followed the regular solution, as well the community based video, but it seems, that i dont receive any error messages, when i try to cut the encrypted base64 notification cookie and decrypt it (step 9 in the regular solution). Instead, i receive a HTTP 200 with the "notification-header" tag empty. Can someone reproduce this issue?

Rick | Last updated: Jan 12, 2022 08:38PM UTC

Hey Robert, I was going to post this as well because I've been seeing this issue for 3 days now. Issue is as you mention, there are no error messages when the notification input is 'corrupt'. (e.g., removing any byte(s) from the encrypted notification token do not result in a helpful error message). Kind regards, Rick

Michelle, PortSwigger Agent | Last updated: Jan 13, 2022 08:42AM UTC

Hi both Thanks for takign the time to get in touch and highlight this one. We are already aware of it and are working on a fix. I'll post back here when the fix is released.

Michelle, PortSwigger Agent | Last updated: Jan 28, 2022 11:02AM UTC

Hi We have fixed the issues in this lab so you should now see the error message mentioned in step 9.

Roland | Last updated: Nov 12, 2023 07:22PM UTC

Hello, I am having this problem. I followed the regular solution and notification-header tag is returning empty. For reference, this is the request that I used: GET /post?postId=9 HTTP/2 Host: 0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net Cookie: notification=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d; session=kSZaA9PkoKobBe0ONb8Ubkszj19wfwbi; stay-logged-in=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net/post?postId=9 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers

Michelle, PortSwigger Agent | Last updated: Nov 13, 2023 09:32AM UTC

Hi Can you describe the steps you took when obtaining a stay-logged-in cookie to paste in as the notification cookie?

Carson | Last updated: Jul 07, 2024 01:28PM UTC

This lab is still having the same issue as: Roland | Last updated: Nov 12, 2023 07:22PM UTC Hello, I am having this problem. I followed the regular solution and notification-header tag is returning empty. For reference, this is the request that I used: GET /post?postId=9 HTTP/2 Host: 0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net Cookie: notification=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d; session=kSZaA9PkoKobBe0ONb8Ubkszj19wfwbi; stay-logged-in=s1j%2bhXe5j2lvk9c6VrLhOzjgRWQlik6rnYjFc8e%2f%2bFg%3d User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a9d00a904243ddd8206ba9900dd0073.web-security-academy.net/post?postId=9 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers The steps taken reflect the ones from the guides/solutions provided. The lab is broken

Carson | Last updated: Jul 07, 2024 01:43PM UTC

When submitting this request, the notification parameter vanishes and is never reflected in response.

Ben, PortSwigger Agent | Last updated: Jul 08, 2024 08:31AM UTC

Hi Carson, I have just replied to the email that you have sent us about this issue - it would probably be more useful to follow up there so that you can attach screenshots etc. We look forward to hearing from you in due course.

Ved | Last updated: Jul 31, 2024 06:45PM UTC

Hi team, I am also facing same issue as Carson, When submitting this request, the notification parameter vanishes and is never reflected in response. Actually we are getting stuck in step 5 itself: 5. In the decrypt request, copy your stay-logged-in cookie and paste it into the notification cookie. Send the request. Instead of the error message, the response now contains the decrypted stay-logged-in cookie, for example: wiener:1598530205184 This reveals that the cookie should be in the format username:timestamp. Copy the timestamp to your clipboard. Once we send the request of decrypt, automatically notification cookie gets deleted in request itself and we are not getting timestamp as expected in response. As a result, we are getting wiener here only: <a href="/my-account?id=wiener">My account</a> //line no. 46 Can you please take a look into this to solve the error. Thanks for looking into it.

Ved | Last updated: Jul 31, 2024 07:25PM UTC

Dear Team, I found one workaround for the issue: use ; before the notification cookie. for eg. Cookie: ; notification=notification_cookie; session:---; stay-logged-in:--- this is working for now.

Michelle, PortSwigger Agent | Last updated: Aug 01, 2024 01:59PM UTC