Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Exploiting a mass assignment vulnerability doesn't allow POST reqs

Mauro | Last updated: Jul 29, 2024 01:03PM UTC

Hello, When trying to solve this lab following the given solution, after sending a POST /api/checkout request, I got a 400 Bad Request Error: {"error": "Malformed URL: query only supported with GET"}. Is this intended? Without being able to send POST requests to that endpoint, I can't modify the object properties and solve the lab as shown. Am I missing something here? Thanks.

Dominyque, PortSwigger Agent | Last updated: Jul 30, 2024 08:28AM UTC

Hi Mauro, I have just attempted the lab and can confirm that the POST requests do work. Please see the screenshot: https://snipboard.io/FUQfzT.jpg Can you please send me a screenshot of the POST request you are sending?

f1owin | Last updated: Sep 15, 2024 08:55PM UTC

Hi, I receive the same error as Mauro: https://imgur.com/a/NzlbZ3Y I am going to wait for the lab to shutdown and try again, maybe we broke it somehow before finding the solution.

Ben, PortSwigger Agent | Last updated: Sep 17, 2024 10:43AM UTC

Hi, What does the Raw version of that request look like?

f1owin | Last updated: Sep 17, 2024 05:17PM UTC

Hi, thanks for your reply! The raw representation is appended to the bottom of the message. There is another behaviour, which seems to be unintended. After starting the lab I can only try to order the jacket in the first couple of seconds (resulting in the not enough credits response). When I try later to order via the ui again after pressing the "Place order"-button the application requests "https://<id>.web-security-academy.net/null", which results in a 404 response with a "Not Found" string in the response body. Google Chrome then just renders the "Not Found" string. POST /api/checkout HTTP/2 Host: 0a6b00bc0456b0d682a52a7e00fa007c.web-security-academy.net Cookie: session=rXRXMdEAch5xwpx51Y6p7P5S27dcWdiq Content-Length: 155 Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128" Content-Type: text/plain;charset=UTF-8 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Sec-Ch-Ua-Platform: "macOS" Accept: */* Origin: https://0a6b00bc0456b0d682a52a7e00fa007c.web-security-academy.net Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://0a6b00bc0456b0d682a52a7e00fa007c.web-security-academy.net/cart Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Priority: u=1, i {"chosen_discount":{"percentage":100},"chosen_products":[{"product_id":"1","name":"Lightweight \"l33t\" Leather Jacket","quantity":1,"item_price":133700}]}

f1owin | Last updated: Sep 17, 2024 08:13PM UTC

I think I identified the issue or at least the direction the issue is coming from. There seems to be some setting wrong with my burp proxy installation. I tried another web proxy tool to validate and could solve the challenge. My issue is only present, when I am running the burp proxy. Afterwards I tried with a fresh installation of burp suite ce (and also new ca certificate), but my issues reappeared. Do I need to activate/deactivate a specific setting for the proxy in order to solve the challenge?

Ben, PortSwigger Agent | Last updated: Sep 18, 2024 07:18AM UTC

Hi, Do you have a screenshot of the raw request? In terms of your other questions - I was able to solve the lab using the default settings within Burp so it should not require anything special to be configured. Whether you have configured something or have an extension running that is causing the behaviour that you are seeing is another matter. If you attempt this lab again today are you able to take some screenshots or a video of what you are doing and seeing and then send this to us via support@portswigger.net so that we can see this more clearly?

f1owin | Last updated: Sep 18, 2024 07:19PM UTC