Bug Reports

Report a bug

  • Could not start Burp: java.lang.ExceptionInInitializerError

    When attempting to install burp for mac, the image mounts but when double clicking to install, it just wont install. Then attempted to use the JAR version and getting the error: Could not start Burp: java.lang.ExceptionInInitializerError Exception: java.lang.ClassCastException: class com.install4j.runtime.beans.actions.misc.LoadResponseFileAction cannot be cast to class com.install4...

    1 Agent Answer    0 Community Answer
    Oct 10, 2019 08:25PM UTC
  • Burp Enterprise - Dropdowns auto-collapsing after ~10 seconds

    In Burp Enterprise, information is-auto-collapsing ONLY when I go to scan results through the following workflow: Sites >> (select any site) >> Issues >>(select any specific issue) >> expand dropdowns >> Wait Ten Seconds, and the dropdowns all refresh to the closed state. This does not happen looking at results from individual scans, and this happens during tim...

    1 Agent Answer    0 Community Answer
    Oct 09, 2019 10:56PM UTC
  • Wrong settings for config "Audit checks - extensions only"

    Hello, the default configuration entry "Audit checks - extensions only" enables more than extension-provided checks, which is more than surprising (and very disturbing). Go to the menu bar, then select "Burp > Configuration library" Highlight "Audit checks - extensions only" and click on "Edit" Go to "Issues reported", sort on "Enab...

    1 Agent Answer    0 Community Answer
    Oct 09, 2019 08:58AM UTC
  • Missed RFI

    Hi, testing again on zero.webappsecurity.com Burp ( 2.1.04 ) is missing the remote file inclusion at /help.html eg: http://zero.webappsecurity.com/help.html?topic=https://www.google.com

    1 Agent Answer    1 Community Answer
    Oct 08, 2019 11:18AM UTC
  • Missed SQL Injection

    Hi, Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId. SQLmap will identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests: --- Parameter: payeeId (POST) Type: stacked queries Title: HSQLDB >= 1.7.2 stacked q...

    1 Agent Answer    1 Community Answer
    Oct 08, 2019 11:12AM UTC
  • Clickjacking with buster script bypass

    Following lab is bugged: https://portswigger.net/web-security/clickjacking/lab-frame-buster-script Robot-victim does not click exploit iframe, even if it was copied and set correctly (I was using Google Chrome as advised). Therefore this lab cannot be completed. Moreover I noticed, if I will use `<button>Click me</button>` instead of `<div>Click me</div>`, robot-vi...

    1 Agent Answer    0 Community Answer
    Oct 08, 2019 07:48AM UTC
  • UTF-8 in WebSocket Repeater history

    Hello, UTF-8 characters (like accentuated character "é") are correctly displayed nearly everywhere in Burp Suite, except in the History view of the Websockets Repeater. A screenshot was uploaded to https://imgur.com/a/Yrqe8M2 Tested on Pro v2.1.04 Cheers, Nicolas

    2 Agent Answers    0 Community Answer
    Oct 05, 2019 05:14PM UTC
  • Grep - Extract and regexp group = "null"

    Hello, when editing Grep - Extract entries, the regexp group is set to "null" after edition. How to reproduce: - create a new Intrduer attack, go to Options > Match & Replace - click Add then "Extract from regexp group" - enter "a(.*)b" (w/o quotes) and click OK - select this entry and click Edit - uncheck "Case sensitive" and click OK - t...

    1 Agent Answer    0 Community Answer
    Oct 05, 2019 01:54PM UTC
  • Unable to activate license after reinstalling Burp Enterprise

    After a server crash we had to reinstall our Burp Enterprise setup. I downloaded the license again from our account page and tried to install it through the /settings/licensing upload field. Unfortuinately I get the following message. Failed to upload license: License activation failed, please contact support@portswigger.net

    1 Agent Answer    0 Community Answer
    Oct 04, 2019 07:50AM UTC
  • Burp 2.x Audit finds less issues

    I‘m playing a bit with burp 1.7.37 and v2.1.04 (both pro versions). I also read about the new scanning techniques burp 2.x comes with. So my expectation was, that it should find (in minimum) as much issues as the „old“ one. For testing i used DVWA. The old one with spidering and a following active scan finds multiple issues: - sqli (visible and blind) - xss (stored and refelcted) - command i...

    2 Agent Answers    0 Community Answer
    Oct 03, 2019 01:24PM UTC