Bug Reports

Report a bug

  • Missed RFI

    Hi, testing again on zero.webappsecurity.com Burp ( 2.1.04 ) is missing the remote file inclusion at /help.html eg: http://zero.webappsecurity.com/help.html?topic=https://www.google.com

    1 Agent Answer    1 Community Answer
    Oct 08, 2019 11:18AM UTC
  • Missed SQL Injection

    Hi, Doing some tests I notice that Burp ( version 2.1.04 ) is missing the SQL injection at http://zero.webappsecurity.com under post data field payeeId. SQLmap will identify it with as the following: sqlmap identified the following injection point(s) with a total of 46 HTTP(s) requests: --- Parameter: payeeId (POST) Type: stacked queries Title: HSQLDB >= 1.7.2 stacked q...

    1 Agent Answer    1 Community Answer
    Oct 08, 2019 11:12AM UTC
  • Clickjacking with buster script bypass

    Following lab is bugged: https://portswigger.net/web-security/clickjacking/lab-frame-buster-script Robot-victim does not click exploit iframe, even if it was copied and set correctly (I was using Google Chrome as advised). Therefore this lab cannot be completed. Moreover I noticed, if I will use `<button>Click me</button>` instead of `<div>Click me</div>`, robot-vi...

    1 Agent Answer    0 Community Answer
    Oct 08, 2019 07:48AM UTC
  • UTF-8 in WebSocket Repeater history

    Hello, UTF-8 characters (like accentuated character "é") are correctly displayed nearly everywhere in Burp Suite, except in the History view of the Websockets Repeater. A screenshot was uploaded to https://imgur.com/a/Yrqe8M2 Tested on Pro v2.1.04 Cheers, Nicolas

    2 Agent Answers    1 Community Answer
    Oct 05, 2019 05:14PM UTC
  • Grep - Extract and regexp group = "null"

    Hello, when editing Grep - Extract entries, the regexp group is set to "null" after edition. How to reproduce: - create a new Intrduer attack, go to Options > Match & Replace - click Add then "Extract from regexp group" - enter "a(.*)b" (w/o quotes) and click OK - select this entry and click Edit - uncheck "Case sensitive" and click OK - t...

    2 Agent Answers    1 Community Answer
    Oct 05, 2019 01:54PM UTC
  • Unable to activate license after reinstalling Burp Enterprise

    After a server crash we had to reinstall our Burp Enterprise setup. I downloaded the license again from our account page and tried to install it through the /settings/licensing upload field. Unfortuinately I get the following message. Failed to upload license: License activation failed, please contact support@portswigger.net

    1 Agent Answer    0 Community Answer
    Oct 04, 2019 07:50AM UTC
  • Burp 2.x Audit finds less issues

    I‘m playing a bit with burp 1.7.37 and v2.1.04 (both pro versions). I also read about the new scanning techniques burp 2.x comes with. So my expectation was, that it should find (in minimum) as much issues as the „old“ one. For testing i used DVWA. The old one with spidering and a following active scan finds multiple issues: - sqli (visible and blind) - xss (stored and refelcted) - command i...

    2 Agent Answers    0 Community Answer
    Oct 03, 2019 01:24PM UTC
  • Reproducing External Service Interaction (DNS) issue

    Hi all, I am having a problem recreating an external service interaction (DNS) via the scanner. When I run a scan to the site the first time (crawl and audit) it finds the issue. If a run the scan a second time it does not find the issue. If a run the GET request with a new collab id it doesn't work either, yet the issue is repeatable with different ids with every re-start. What I ha...

    1 Agent Answer    0 Community Answer
    Oct 02, 2019 02:44AM UTC
  • Connection reset error

    I face Connection Reset error while opening a testing website that I've got. The website works properly when burp proxy is not set, and when the burp proxy is set in Mozzila or Chrome it gives Connection Reset Error.

    2 Agent Answers    2 Community Answers
    Sep 30, 2019 10:28AM UTC
  • POST with gzip data can't parse insertion points correctly

    If post with gzip data(maybe other binary data format either) will cause burp extender can't parse insertion points correctly, when you print insertionPoint.getInsertionPointType(), it will always print 1. And the insertionPointName is strange.Output like below: Utilities.out(insertionPoint.getInsertionPointType() + ""); Utilities.out(insertionPoint.getInsertionPointName()); ...

    1 Agent Answer    0 Community Answer
    Sep 27, 2019 12:55PM UTC