Burp Suite User Forum

Login to post

Lab: URL-based access control can be circumvented error

Nathan | Last updated: Nov 11, 2020 05:48PM UTC

Hello, I have a question about the lab "URL-based access control can be circumvented". For some reason, whenever I try to do the lab in Burp suite and I send the request to Repeater, after following the steps "Change the URL in the request line to / and add the HTTP header X-Original-URL: /invalid," I don't seem to be getting a response. I even resorted to following a video tutorial, but while the person in the video gets a response, I still get nothing. Am I doing something wrong, or did I miss something? Please help!

Uthman, PortSwigger Agent | Last updated: Nov 12, 2020 09:21AM UTC

Hi Nathan, It may be best to wait ~15 mins for the lab to reset and try again. I just attempted this lab and it completes without any issues.

Nathan | Last updated: Nov 15, 2020 05:41PM UTC

Hello, I've attempted to do this lab multiple times over the course of a few days, but I still seem to be getting the same result, that being no response... Waiting and resetting doesn't seem to fix the issue, at least for me...

Uthman, PortSwigger Agent | Last updated: Nov 16, 2020 10:59AM UTC

Nathan, what browser are you using? Can you please send screenshots and the exact steps you have completed to support@portswigger.net?

Nathan | Last updated: Nov 16, 2020 06:15PM UTC

I have attempted to use both Google Chrome and Mozilla Firefox, with no success. If possible, would a video of my attempt suffice as well? Or does it need to be strictly screenshots?

Uthman, PortSwigger Agent | Last updated: Nov 17, 2020 09:23AM UTC

A video would be more helpful. Thank you!

Nathan | Last updated: Nov 17, 2020 04:52PM UTC

Hello, I have managed to get the lab working on my own, but I wanted to point out that in the current version of Burp Suite, when you send a request to Repeater, it includes a few lines of code/text that make the lab not work. By deleting these extra lines, I was able to get the lab to work.

eduard | Last updated: Dec 11, 2020 02:37PM UTC

Can you please share what extra lines? thank you

Uthman, PortSwigger Agent | Last updated: Dec 11, 2020 02:46PM UTC

You need to ensure there are two newline characters at the end of your request. E.g. GET / HTTP/1.1 Host: example.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close\r\n \r\n If you display nonprintable characters, you should see the \r\n\r\n I am referring to

You need to Log in to post a reply. Or register here, for free.