Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Issue in an Academy Lab

Viktor | Last updated: Jan 04, 2024 04:12PM UTC

Hello it would seem that there is an issue with the Lab for: "Exploiting server-side parameter pollution in a REST URL". After the request for the passwordResetToken is submitted the response does not have a valid password reset token but the value is null Payload user: csrf=rHNJ6uYSDiGqDlMc5eYu9RMfjQWmVrQK&username=carlos%2f..%2f..%2f..%2fv1%2fusers%2fadministrator%2ffield%2fpasswordResetToken%23 Response: HTTP/1.1 500 Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Encoding: gzip Content-Length: 120 { "error": "Unexpected response from API server:\n{\n \"type\": \"passwordResetToken\",\n \"result\": null\n}" } This also happens if i use the example payload from the solution page.

Michelle, PortSwigger Agent | Last updated: Jan 05, 2024 09:20AM UTC

Hi I've just run through the lab and could solve it using the provided solution. I used the suggested payload from the solution, so the whole line looked like this: csrf=SgHtyMMe996rqgWWRsXggM4u3fYWq4Wh&username=../../v1/users/administrator/field/passwordResetToken%23 If you're still having issues, can you send an email to support@portswigger.net with screenshots or a screen recording of the steps you're taking?

Viktor | Last updated: Jan 08, 2024 11:29AM UTC

Thank you i've just send an email.

Michelle, PortSwigger Agent | Last updated: Jan 08, 2024 11:59AM UTC

Thanks :) We've got your mail. We'll take a look and be in touch soon.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.