Burp Suite Enterprise resource exhaustion via huge request body

The /api-internal/login endpoint had no request body size limits at all. Zero checks in Jetty, no proxy limits, nothing. I sent one unauthenticated POST with ≈100.9 MB inside the password field: POST /api-internal/login HTTP/1.1 Host: target Content-Type: application/json Content-Length: 105830725

{"username":"burpenterprise","password":"A...A"} TTFB was 45 seconds. The server loaded the entire request into memory before even starting to parse JSON. That giant password then went straight into BCrypt. One such request was enough to completely tank the instance. Heap got destroyed, GC pauses went on forever, CPU spiked hard and everything just froze. Scans stopped, queues died In 2026.3 they added a length check on the password field. It changed nothing because the body was already fully in memory long before the check could trigger Only in 2026.4 they finally introduced real stream-level limiting at the network filter. Now it drops oversized requests immediately James Kettle (albinowax) personally closed the report and wrote: "This shouldn't have been accepted, but it was so we're awarding a small bounty. Thanks for the help. Just to warn anyone else reading this, future DoS reports will be rejected as N/A." I became the last researcher who successfully got a DoS accepted in Burp Suite Enterprise CWE-400, CWE-20. CVSS 3.1 - 7.5 High. Release note in DAST 2026.4: "Submitting unusually long passwords during login could cause a significant increase in memory consumption, potentially crashing your instance. We'd like to thank bug bounty hunter Armen Akopyan (bereza4321) for reporting this." HackerOne #3625600 - https://hackerone.com/reports/3625600