The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Mystery lab challenges that require to submit solution seem to be broken

Adrian | Last updated: Mar 21, 2022 08:58AM UTC

Mystery lab challenges that require to submit solution seem to be broken - correct results are not accepted. Example for the "CORS vulnerability with trusted insecure protocols" - for better visibility below requests are taken straight from the administrator account after hijacking his session (the same results can be observed in the Exploit Server log after successful CORS exploitation): GET /accountDetails HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Cookie: session=uVQFhiZvX5PggT9C8DcByASRxbLNKy34 HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Content-Type: application/json; charset=utf-8 Content-Length: 156 { "username": "administrator", "email": "", "apikey": "El1cgmUSyndnZf8elxnXpVQSUhAWIbeE", "sessions": [ "uVQFhiZvX5PggT9C8DcByASRxbLNKy34" ] } POST /submitSolution HTTP/1.1 Host: {BURP_LAB}.web-security-academy.net Content-Length: 39 Content-Type: application/x-www-form-urlencoded answer=El1cgmUSyndnZf8elxnXpVQSUhAWIbeE HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 17 {"correct":false} Dev tools console: Uncaught TypeError: eval(...) is not a function at XMLHttpRequest.verifyAnswer (submitSolution.js:19:45) I've seen the same thing for one of the XXE labs "Exploiting blind XXE to exfiltrate data using a malicious external DTD".

Michelle, PortSwigger Agent | Last updated: Mar 21, 2022 01:45PM UTC