Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: URL-based access control can be circumvented error

Nathan | Last updated: Nov 11, 2020 05:48PM UTC

Hello, I have a question about the lab "URL-based access control can be circumvented". For some reason, whenever I try to do the lab in Burp suite and I send the request to Repeater, after following the steps "Change the URL in the request line to / and add the HTTP header X-Original-URL: /invalid," I don't seem to be getting a response. I even resorted to following a video tutorial, but while the person in the video gets a response, I still get nothing. Am I doing something wrong, or did I miss something? Please help!

Uthman, PortSwigger Agent | Last updated: Nov 12, 2020 09:21AM UTC

Hi Nathan, It may be best to wait ~15 mins for the lab to reset and try again. I just attempted this lab and it completes without any issues.

Nathan | Last updated: Nov 15, 2020 05:41PM UTC

Hello, I've attempted to do this lab multiple times over the course of a few days, but I still seem to be getting the same result, that being no response... Waiting and resetting doesn't seem to fix the issue, at least for me...

Uthman, PortSwigger Agent | Last updated: Nov 16, 2020 10:59AM UTC

Nathan, what browser are you using? Can you please send screenshots and the exact steps you have completed to support@portswigger.net?

Nathan | Last updated: Nov 16, 2020 06:15PM UTC

I have attempted to use both Google Chrome and Mozilla Firefox, with no success. If possible, would a video of my attempt suffice as well? Or does it need to be strictly screenshots?

Uthman, PortSwigger Agent | Last updated: Nov 17, 2020 09:23AM UTC

A video would be more helpful. Thank you!

Nathan | Last updated: Nov 17, 2020 04:52PM UTC

Hello, I have managed to get the lab working on my own, but I wanted to point out that in the current version of Burp Suite, when you send a request to Repeater, it includes a few lines of code/text that make the lab not work. By deleting these extra lines, I was able to get the lab to work.

eduard | Last updated: Dec 11, 2020 02:37PM UTC

Can you please share what extra lines? thank you

Uthman, PortSwigger Agent | Last updated: Dec 11, 2020 02:46PM UTC

You need to ensure there are two newline characters at the end of your request. E.g. GET / HTTP/1.1 Host: example.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close\r\n \r\n If you display nonprintable characters, you should see the \r\n\r\n I am referring to

tefo | Last updated: Apr 28, 2021 06:41PM UTC

hello, GET / HTTP/1.1 Host: Cookie: User-Agent: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Dnt: 1 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Te: trailers Connection: close X-Original-URL: /invalid this is the request. please change the location of Connection and X-Original-URL. X-Original-URL: /invalid Connection: close

ali | Last updated: Jan 10, 2022 05:33PM UTC

hello team, im doing this lab{Method-based access control can be circumvented} rit now but i dont understand the concept please explain this lab

Ben, PortSwigger Agent | Last updated: Jan 11, 2022 08:36AM UTC