Burp Suite User Forum

Create new post

Issue on Lab: Partial construction race conditions

João | Last updated: Aug 12, 2023 10:14AM UTC

Hi team, After successfully exploiting the race condition and being able "to bypass email verification and register with an arbitrary email address" (I got the user registration is successful message), I am still not able to login with the newly created account ("Invalid username or password"). Moreover, after being stuck and tried different options without success, I've checked your Solution and, although I've used a different TI script (and engine, THREADED instead of BURP2), the behaviour is consistent with the intended solution... apart from the fact that I can't login. Finally, trying your solution (copy/paste) also didn't help. With this being said, I'd appreciate your support, since there's apparently some sort of bug in this Lab. Thank you! Best regards, João

Michelle, PortSwigger Agent | Last updated: Aug 14, 2023 01:50PM UTC

Hi I've just run through this lab and could log in with the credentials obtained from the attack. When the POST /register request is sent and receives a response that contains 'Please check your emails for your account registration link', what are you then seeing as the response to the follow-up POST /confirm?token[] request? Can you send some screenshots of the requests and your intruder attack to support@portswigger.net so we can take a closer look?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.