Burp Suite User Forum

Login to post

"cors=1" in Cache Key Injection lab

Benja | Last updated: Aug 30, 2023 02:33PM UTC

Hi, I'm working on the Cache Key Injection lab. It mentions that knowledge of other vulnerabilities such as parameter pollution, header injection in the response, and of course XSS is necessary to solve it. However, there's a point in the solution that I don't quite understand, even after searching for it online. It involves adding cors=1 to the path of the URL to effectively achieve header injection of the Origin header. Where does this cors=1 come from? I'd like to understand it better to apply it in real-world scenarios. Especially, how is the discovery of the query cors=1 made? Additionally, it would be quite helpful to mention that "0d-0a" in the Origin header injection are used to achieve CRLF and shape the header, so it doesn't go unnoticed by anyone. Your labs are fantastic; they have helped me and continue to help me understand various vulnerabilities. I am eternally grateful. Thanks bronxi

Michelle, PortSwigger Agent | Last updated: Aug 31, 2023 09:46AM UTC

Hi The expert-level labs are designed to be more challenging. They can also involve reviewing the behavior of the application and looking for settings that you may be able to investigate further. For example, analyzing the localize.js request allows you to find settings that may allow you to enable/disable functionality by changing a value.

You need to Log in to post a reply. Or register here, for free.