Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Problem with Exploiting NoSQL operator injection to extract unknown fields lab

kaiwhata | Last updated: Oct 07, 2024 01:14AM UTC

It seems there's a bug in the "Exploiting NoSQL operator injection to extract unknown fields" lab. Whilst the NoSQL exfiltration is possible - it doesnt appear that the unlockToken is one of the keys enumerable via JS anymore (the set I enumerated was, _id, username, password, and 'email'). I verified using keys.length that there were no more enumerable key names (and I checked that the email keys was in fact that users' email and not their token). Enumerating beyond a key length of 4 causes the server to 500. Whilst I was able to enumerate the user's entire password - as the account is locked by the attack I cant use it to authenticate and complete the lab. Specifically the Step 7.8 in the solution no-longer appears to be possible. I've tried stopping and resetting the lab - but have experienced the same behaviour through a lab restart.

Ben, PortSwigger Agent | Last updated: Oct 07, 2024 09:34AM UTC

Hi, Just to confirm, have you carried out step 4 of the solution - manually resetting the carlos users password using the embedded browser?

kaiwhata | Last updated: Oct 07, 2024 07:21PM UTC

Thanks - I had reset the lab part way through and had clear not remember to complete this step the second time. Solved it now :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.