Burp Suite User Forum

Login to post

Getting Started website instructions aren't working

Andrews, | Last updated: Jan 13, 2022 05:21PM UTC

The BurpSuite documentation web page https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic explains how to modify a request in Burp Proxy. The instructions say to open the embedded Chromium browser and navigate to https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls. I'm instructed to click the Access the lab button on that page, and log in with the username "wiener" and the password "peter". The instructions state, "Notice that you have just $100 of store credit." That's not the response that I'm getting when I enter that username and password. I get the response "Login failed".

Ben, PortSwigger Agent | Last updated: Jan 13, 2022 07:12PM UTC

Hi Paul, Are you logged into your user account on portswigger.net when you launch the lab? You need to be logged in to your user account in order to access the Web Academy labs so I am wondering whether the login prompt that you are seeing is for your portswigger.net account rather than that of the lab. What is the URL of the login page that you see - does it start https://portswigger.net or is it similar to https://acdc1fc21e0092cbc0c3b9e000b300ac.web-security-academy.net?

Andrews, | Last updated: Jan 13, 2022 08:42PM UTC

Hi, Ben, Yes, I'm logged in to my PortSwigger account when following the tutorial. In fact, just for the sake of thoroughness, I just logged out of my account, closed all apps, and started fresh by logging in again at https://portswigger.net/users. Once I was successfully logged in, I navigated to the tutorial page at https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic. As before, the first part of the tutorial worked (intercepting HTTP traffic), but the second part did not (modifying requests). When I entered the address https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls in the embedded Chromium browser, it took me to a page whose URL begins with portswigger.net/web-security/logic-flaws/examples... On that page, when I clicked the button labeled "Access the lab", it took me to a web page whose URL begins with portswigger.net/users... Based on your reply, it sounds like the tutorial instructions may be missing a step. Where it says to open the embedded Chromium browser by clicking the "Open Browser" button under the Proxy tab, the instructions may need to be modified to have the user log in a second time to the portswigger.net site, before proceeding with the rest of the tutorial.

Ben, PortSwigger Agent | Last updated: Jan 14, 2022 10:48AM UTC

Hi Paul, Thank you for the in-depth explanation. I think the issue is that you will have to login again if you are accessing the labs from within the embedded browser (I am assuming you might have initially logged into your user account on a different browser? Please correct me if I am wrong). If you open the embedded browser, navigate to https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-excessive-trust-in-client-side-controls and then click the 'Access the lab' button you will need to login to your user account first because the session information will not have carried over from any other browser you might have initally used (if that is indeed what has happened) and the Web Academy will treat you as an unauthenticated user and direct you to login to a user account (via the https://portswigger.net/users.. URL). We have the following text in the 'Getting started' page https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic that tries to cover this: "Launch the embedded browser and use it to access the following URL, logging in if prompted" Do you think that this needs to be clearer and we should actually specify logging in when clicking the 'Access the lab' button?

Andrews, | Last updated: Jan 14, 2022 02:37PM UTC

Hi, Ben, Thank you for the explanation. Now I understand the source of my confusion. Where the instructions say "Launch the embedded browser and use it to access the following URL, logging in if prompted", I launched the embedded browser, pasted in the URL, and got taken to a page with the header "Lab: Excessive trust in client-side controls" that displays the message "You can log in to your own account using the following credentials: wiener:peter". But that login didn't work, because I didn't understand that the phrase "logging in if prompted" was referring to logging in with my actual username and password at portswigger.net, not where it prompts me to enter "wiener" and "peter". I think a slight tweak to the instructions may be helpful. Instead of stating "Launch the embedded browser and use it to access the following URL, logging in if prompted", the instructions might state "Launch the embedded browser, navigate to portswigger.net and log in to your account, and then navigate to the following URL and enter the username 'wiener' and the password 'peter'". Thank you for your helpful responses to my questions. I've now been able to follow the entire tutorial for intercepting and modifying HTTP requests. —Paul

Liam, PortSwigger Agent | Last updated: Jan 17, 2022 11:46AM UTC

Thanks for following up, Paul. I've passed on your suggestions to our technical writing team.

You need to Log in to post a reply. Or register here, for free.