Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Mystery lab challenges that require to submit solution seem to be broken

Adrian | Last updated: Mar 21, 2022 08:58AM UTC

Mystery lab challenges that require to submit solution seem to be broken - correct results are not accepted. Example for the "CORS vulnerability with trusted insecure protocols" - for better visibility below requests are taken straight from the administrator account after hijacking his session (the same results can be observed in the Exploit Server log after successful CORS exploitation): GET /accountDetails HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Cookie: session=uVQFhiZvX5PggT9C8DcByASRxbLNKy34 HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 Content-Length: 156 { "username": "administrator", "email": "", "apikey": "El1cgmUSyndnZf8elxnXpVQSUhAWIbeE", "sessions": [ "uVQFhiZvX5PggT9C8DcByASRxbLNKy34" ] } POST /submitSolution HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Content-Length: 39 Content-Type: application/x-www-form-urlencoded answer=El1cgmUSyndnZf8elxnXpVQSUhAWIbeE HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 17 {"correct":false} Dev tools console: Uncaught TypeError: eval(...) is not a function at XMLHttpRequest.verifyAnswer (submitSolution.js:19:45) I've seen the same thing for one of the XXE labs "Exploiting blind XXE to exfiltrate data using a malicious external DTD".

Michelle, PortSwigger Agent | Last updated: Mar 21, 2022 01:45PM UTC

Thanks for taking the time to get in touch to raise this with us. I've just spoken to the team and they were already aware of the issue and are working on a fix. We'll post back here once the fix is in place.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.