Burp Suite User Forum

Create new post

File upload Challenge - file upload returns missing parameter despite all fields filled out

tiptoe | Last updated: Jul 20, 2022 06:57AM UTC

Hi all Working on the file upload challenge - apprentice. Tried both of the apprentice challenges just with a standard png and jpg file respectively to see what the requests look like and each time the server returns "Missing Parameter" despite all the form fields being filled out. Can you advise please? Exercises are: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload Thanks B

Ben, PortSwigger Agent | Last updated: Jul 20, 2022 09:20AM UTC

Hi, Just to clarify, what exact actions are you carrying out when you see this behaviour? Are you able to provide us with some screenshots of the steps you are carrying out so that we can see this more clearly?

tiptoe | Last updated: Jul 21, 2022 12:00AM UTC

Hi I don't see any upload function on the reply - what's the expected way to upload? The action is to send a POST request to add a comment and an avatar to the web app for the file upload challenge. I tried using both Zap and Burp and got the same error which was, "400 bad request", "Missing parameter" The POST request looks like: POST https://0a7f000504f827d1c0424ae900280032.web-security-academy.net/post/comment HTTP/1.1 Host: 0a7f000504f827d1c0424ae900280032.web-security-academy.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------242277515412620568343140943805 Content-Length: 1221555 Origin: https://0a7f000504f827d1c0424ae900280032.web-security-academy.net Connection: keep-alive Referer: https://0a7f000504f827d1c0424ae900280032.web-security-academy.net/post?postId=2 Cookie: session=BCI2zqZvaQZAOloB1lILM1k8OahP4MV0 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="csrf" gaikGL7nyOCV0yH2XUyunR81pKF5Zixb -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="postId" 2 -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="comment" blah -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="name" blah -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="avatar"; filename="orange-logo.jpg" Content-Type: image/jpeg ÿØÿà�JFIF��H�H��ÿâICC_PROFILE��� lcms��mntrRGB XYZ Ü����)�9acspAPPL��������������������������öÖ�����Ó-lcms����������������������������������������������� <shortened for brevity> -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="user" / -----------------------------242277515412620568343140943805 Content-Disposition: form-data; name="csrf" gaikGL7nyOCV0yH2XUyunR81pKF5Zixb -----------------------------242277515412620568343140943805-- Response HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 19 "Missing parameter" ----- Thanks for your help.

Ben, PortSwigger Agent | Last updated: Jul 21, 2022 09:59AM UTC

Hi, Apologies - if you need to send screenshots you can send us an email to support@portswigger.net and attach them there (there is no function to provide attachments on our forum). For both labs you can interact with the upload functionality from within your account rather than by adding a comment to a blog post (indeed the solutions to both labs make reference to this).

Yevgen | Last updated: Sep 15, 2022 03:28PM UTC

Same problem. It is not clear from the instructions, but you have to post not on the blog posts page but click on the top right link "My Account" and login with "wiener:peter" credentials. Than upload your avatar.

Ben, PortSwigger Agent | Last updated: Sep 16, 2022 10:44AM UTC

Hi, The solution itself specifies that you need to log into your user account and interact with the upload functionality within the account area - the idea being the description provides a high level overview of what is required but does not necessary give too much away whilst the solution provides a more step by step guide for those that get stuck or need some further guidance. Are you finding that the description is not specific enough?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.