search

PortSwigger / http-request-smuggler

https://portswigger.net/blog/http-desync-attacks
Other
952 stars 101 forks source link

Launch Smuggler Probe Fails To Detect Vulnerability on Basic Web Academy Lab #39

Closed nicseve closed 3 years ago

nicseve commented 4 years ago

I'm running a clean install of Burp Suite Pro Version on Kali Linux and attempting to test the HTTP Request Smuggler Probe on the PortSwigger Web Academy Request Smuggler Lab 1.

After launching the probe the output pane in the extender tab shows the requests constantly timing out and saying 'Unexpected Report With Response".

Notably, running the extension on the community edition of Burp on both Kali Linux and MacOS detects the vulnerability in the lab. Its possible I have something strange going on with my install but I would love if someone could verify this issue or lack of it on their end with the same set up

Update: the extension will work when only itself and Turbo Intruder are loaded. Once Param Miner is loaded the extension seems to fail although the culprit for the failure could be linked to any of the following loaded extensions at time of testing: Active Scan++ Backslash Powered Scanner Upload Scanner

albinowax commented 4 years ago

Hmm it might be param miner, I'll look into that when I have time

yongicobay commented 4 years ago

Hi, I closed a similar issue because after some changes and reboot it worked, but i've once again got that problem. I unload every extension except request smuggler and turbo intruder, but it's like issue activity is stucked on a few days ago...

albinowax commented 4 years ago

Note: see also internal report 185280

albinowax commented 4 years ago

I can't replicate this - just tried it with Pro on Kali with default settings and it worked fine. It's very strange that it would say 'Unexpected report with Response' but not actually report anything, this makes me think this might be a core Burp Suite bug. Are you able to supply your Debug ID from Help->Diagnostics?

albinowax commented 3 years ago

Insufficient info to address this

0xChupaCabra commented 2 years ago

confirmed, as stated above disabling param miner fixes the problem

FahadSec commented 2 years ago

I'm having the same issue. I have Burp Suite Professional Version 2022.5.2 on Mac OS. I also tried unloading all my extensions and it still doesn't work. Attached the request logs. smuggler_logs.csv