Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Offline password cracking lab issue

Brian | Last updated: Oct 18, 2021 10:32AM UTC

Lab URL: https://portswigger.net/web-security/authentication/other-mechanisms/lab-offline-password-cracking Hi. The automated victim does not seem to ever visit the blog pages for me, as I don't get any hits in the access logs. I have made sure to set everything up right, finally looking at the solution to be sure. I DO get a hit in the logs when I visit the blog page myself, which correctly shows my 'stay-logged-in' cookie in the log entry. I have followed instructions to the letter. I have tried completely new sessions on the lab to make sure there wasn't some random glitch. No dice. My stored XSS is identical to the solution (and works fine on my visits).

Brian | Last updated: Oct 18, 2021 10:35AM UTC

Just to add, I have also watched the solution video, and I am doing exactly what he does, but he gets a log hit and I don't.

Brian | Last updated: Oct 18, 2021 10:50AM UTC

Ok, I figured out what I was doing wrong. I was using the url "my.web.lab.server-id/exploit" in the XSS rather than simply "my.web.lab.server-id/" However, I'm still confused as to why it didn't work, as it did work when I visited the blog pages myself.

Liam, PortSwigger Agent | Last updated: Oct 18, 2021 12:20PM UTC