Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web Security Academy Bug?

Gary | Last updated: Aug 02, 2021 04:28AM UTC

I may have stumbled across either an interesting Academy bug, or my Burp installation and/or browser have had a stroke. But maybe this has been observed before. In short, during the lab "Exploit XSS to Perform CSRF" I wrote a profoundly broken solution that mangled the target's email address, but the mangled text was (seemingly) random and bore no relation to my code or code from the lab. In an odd way, it almost resembled some type of response splitting or maybe cache dysfunction? I've laid it out with pics in the readme at https://drive.google.com/drive/u/0/folders/1z-nENFQwupqeMltb_979LFCGVDRYSInu Oh I did fix my payload and nailed the lab after all. ;)

Uthman, PortSwigger Agent | Last updated: Aug 02, 2021 10:46AM UTC

Hi Gary, I have had a look at this. Can you please share a screen recording with support@portswigger.net of this replicated? The collaborator URL is coming from the Burp Collaborator but it is unclear why that is added since the collaborator is not required to complete this lab. Could someone be running a scan on your lab URL? Or have you previously ran a scan on it? 'Wiener' is the username of the user you need to log in as to complete the lab so I believe that is working as expected.

Gary | Last updated: Aug 03, 2021 06:26AM UTC

>> Can you please share a screen recording with support@portswigger.net of this replicated? Will do! I'll try to make that between BH/Defcon this week. :thumbsup:

Uthman, PortSwigger Agent | Last updated: Aug 03, 2021 09:19AM UTC

Thank you! We'll pick this up as soon as we receive the email.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.