Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Examples of business logic vulnerabilities

jbcui | Last updated: Sep 06, 2020 09:34PM UTC

Hello! When I try to complete lab https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-broken-logic at step to brute force 2fa code I recive 400 code after some tries and message like this:" HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Set-Cookie: session=ZPgLZU8mP3uAmZlNmRPchOsqf6S2dPkh; Path=/; Secure; HttpOnly Connection: close Content-Length: 60 "Invalid CSRF token (session does not contain a CSRF token)" "

Ben, PortSwigger Agent | Last updated: Sep 08, 2020 07:28AM UTC

Hi, Are you able to provide us with details of the steps that you have take to try and solve this lab? At what point are you getting the 400 Bad Request response? Have you watched the following video solution to check that the steps you are trying are correct: https://www.youtube.com/watch?v=btqm9-swsvU

jbcui | Last updated: Sep 08, 2020 08:30AM UTC

1. I was brute password from Carlos 2. I was brute 2FA code, but often after 7000 of 10000 request my csrf token was expired. 3. Often I have 302 response, but after this response I recived 400 resp, and I need to start over. Thanks for video solution.

Sean | Last updated: Sep 09, 2020 03:41AM UTC

I am having the same problem. Using the Community Edition, the iteration is quite a bit slower than what's in the video. I tried again with a python script that is quicker with the attempts, but it still times out before I can get the correct code and I get a 400 response. There is not much consistency as to when the timeouts occur. I managed nearly 7000 attempts once, and got less than 100 another time. I usually get at least several hundred but rarely get more than about 1000. The user in the video also started getting 400 responses as well (see 4:25).

Ben, PortSwigger Agent | Last updated: Sep 09, 2020 02:00PM UTC

Hi both, If you are receiving the 302 response that means you have found the correct passcode and can complete the lab - any requests after that will be returning a 400 status. Are you receiving a single 302 response each time that you run the Intruder attack? If you are using the Burp Community edition and are finding it too slow (Intruder is throttled in this edition of Burp) then you might have a better experience using the Turbo Intruder extension.

Sean | Last updated: Sep 10, 2020 01:07AM UTC

I haven't discovered a 302 response yet, but I'll give Turbo Intruder a shot. Thank you!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.