Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Facebook Telling Me To Install Your Software

WokeWorld | Last updated: Apr 08, 2021 11:13AM UTC

Hi guys, I'm just interested if it's legal for Facebook to be suggesting i install and use your software to verify my bug reports. Saturday, March 20, 2021 at 1:42 AM Hi, We are unable to reproduce the issue as you've described. Specifically, we are rate limited after about 20 requests. While you might be seeing a 200 response, this does not mean that your requests have been successful in affecting any meaningful action. This endpoint is a common source of false positives. Please try the following: 1) Capture the 6 digit entry form request 2) Send it to Burp Repeater 3) Configure it so that your injection point is in the "code" parameter 4) Configure it to enter random 6 digit numeric values 5) Start the attack 6) Around request 25 right click on the response and select "View response in browser" 7) Copy and paste this URL into your browser and observe that you see the following message: "You have tried entering too many codes. Try again later." Step 7 should clearly demonstrate that you are being rate limited. If you observe different behavior, please record a video clearly showing all of the above steps as well as the time and date on your computer (so we can verify the time window during which the requests were sent) and attach it to this conversation. Thanks, Teo Security

Ben, PortSwigger Agent | Last updated: Apr 08, 2021 03:19PM UTC

Hi, We have no issue with anyone recommending using Burp to perform security testing/bug bounties. Our Burp Community edition is freely available so that everyone has the pleasure of experiencing Burp. As an aside, from the content of their email, it sounds like you would want to use Burp Intruder instead of Burp Repeater in order to automate the proposed attack.

WokeWorld | Last updated: Apr 08, 2021 08:40PM UTC

Thanks, i thought that them using the product for business would require a Licence and therefore they should be a ablr to give me a free Commercial Licence yes ?

Ben, PortSwigger Agent | Last updated: Apr 09, 2021 07:05AM UTC

You can accomplish what they are suggesting by using the free Community edition, available for download here: https://portswigger.net/burp/releases#community Use of the licensed Burp Professional edition (which has several features that are unavailable in the Community edition) would require you to purchase a license from us.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.