Burp Suite User Forum

Create new post

Cache Poisoning - Unkeyed Header and Unkeyed Cookie Labs Not Working?

Mauro | Last updated: Jul 01, 2024 03:59PM UTC

I solved both labs since I can trigger the correspondent alerts after requesting the main homepage address from my browser, but the Not Solved label never changes to Solved. Are there any issues related to the user who is supposedly periodically visiting the / webpage? Are there any recent solutions for those two labs? Thanks!

Ben, PortSwigger Agent | Last updated: Jul 02, 2024 07:29AM UTC

Hi Mauro, I have just run through the Unkeyed Header lab and was able to solve it using the written solution, so it does appear to be functioning as expected. I think it is fair to say that these types of lab rely a lot on timing and you may need to send your malicious request several times (in order to keep the cache poisoned) before the victim user does actually fall victim to this.

Mauro | Last updated: Jul 02, 2024 10:20AM UTC

Hello, thanks for the reply Ben! But, I am solving the labs, now even closely following the detailed steps in the solution and the same happens: on my end, whenever I request /, I get the alerts triggered for both labs. But the Not Solved is not changing to Solved. I kept poisoning the cache for almost 5 minutes, non stop, and still nothing. Are your sure everything is OK in your end? Are those labs being solved lately by an average number of users? Thanks!

Ben, PortSwigger Agent | Last updated: Jul 02, 2024 10:33AM UTC

Hi Mauro, As noted, the lab is only 'solved' when the victim user visits the home page whilst the cache is poisoned. That is the trigger for the lab to be solved (the victim visits periodically and needs to do so whilst the cache is poisoned, hence the need to make sure the cache is kept poisoned by resending the malicious request - you may need to send this request a number of times before this happens so it is not an exact science). The lab is passing our tests and, as noted in my earlier post, I was able to solve the lab after around a minute of sending the malicious request so we are happy this is functioning as intended.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.