Low
resolved
resolved
Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption
Bug reported by was disclosed at May 5, 2026, 3:07 pm |
A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST (Enterprise). The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation. This allowed extremely large payloads in the password field to be buffered and parsed prior to rejection, resulting in unnecessary resource consumption. The application fully processed the requests before applying validation, violating the fail-fast principle.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
