Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Bug in lab "Web cache poisoning via an unkeyed query parameter"

Jesús | Last updated: Apr 03, 2023 07:54AM UTC

Hi, it seems that there is a bug in the lab "Web cache poisoning via an unkeyed query parameter". The response to GET / never gets cached as the server always return X-Cache: miss. Cheers, Jesús

Ben, PortSwigger Agent | Last updated: Apr 03, 2023 08:20AM UTC

Hi Jesus, I have just run through this lab and been able to solve it using the solution provided so it does appear to be working as expected, see the screenshot below (which includes the payload I have used): https://snipboard.io/DgTBG5.jpg Are you able to provide us with some details of the steps that you are taking to solve the lab (it might be easier to do this with some screenshots). If it is easier to provide these via email then please feel free to email us at support@portswigger.net and we can take a look from there.

Jesús | Last updated: Apr 03, 2023 11:19AM UTC

Hi Ben, thanks for the quick answer. I gave it another try and now it seems working well and managed to resolve the lab using the solution suggested (/?utm_content='/><script>alert(1)</script>). Many thanks, Jesús

H31s3nb3rg | Last updated: Jun 11, 2023 04:18PM UTC

HI! I'm trying to solve the lab right now, but it seems the cache isn't working. Even sending a GET request to / (without query paramaters) multiple times doesn't get me a cache hit ("X-Cache" header is always set to "miss"). The solution showed at this link https://snipboard.io/DgTBG5.jpg is for another lab. The intended lab is "Web cache poisoning via an unkeyed query parameter", not "Web cache poisoning via an unkeyed query string".

Ben, PortSwigger Agent | Last updated: Jun 12, 2023 12:41PM UTC

Hi, I am able to solve the 'Web cache poisoning via an unkeyed query parameter' lab using the solution provided (please see the screenshot below): https://snipboard.io/xCePQE.jpg Are you able to provide examples of the requests that you are sending? Do you have any extensions installed?

H31s3nb3rg | Last updated: Jun 14, 2023 12:57PM UTC

Solved. I set "Add dynamic cachebuster" in Param Miner and it added a cachebuster to every request sent to the server, including those sent by Repeater (i thought it was an option only for Param Miner extension, not for all requests sent with Burp Suite). Disabling the option solves the problem.

H31s3nb3rg | Last updated: Jun 14, 2023 12:57PM UTC

Thank you!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.