Burp Suite User Forum

Login to post

Exploiting HTTP request smuggling to perform web cache deception - Lab not working.

Gourav | Last updated: Oct 15, 2021 04:57PM UTC

I have tried this lab more than 20 times now. With community and professional versions. I have also followed the steps mentioned and every time I get stuck in the end, I just don't get a static file with the victim's API key. I have tried this lab in different browsers. I have not been able to complete it so far. I have also had some problems with the labs of HTTP smuggling, I just don't get the desired response. Any help would be great and appreciated.

Gourav | Last updated: Oct 18, 2021 07:36AM UTC

Can someone help me?

Hannah, PortSwigger Agent | Last updated: Oct 18, 2021 08:28AM UTC

Hi If you're not getting the expected behavior, you can try unloading any extensions you may have installed. Have you tried following along with a video tutorial? There are plenty available on YouTube, and some of our labs have "Community solution" videos attached.

Gourav | Last updated: Oct 18, 2021 08:37AM UTC

I have been trying the solution listed on the website and the community solution and I have also referred to the solutions available on YT. The only extension that I have been using is the one recommended in the solution. I have been following procedure according to the solution, community solution, and YT videos but it is not working.

Hannah, PortSwigger Agent | Last updated: Oct 18, 2021 09:39AM UTC

I can confirm this lab is working as expected. Could you try disabling your extension and retry the lab to see if that works for you? You will have to repeat the request in Repeater quite a few times before you will be able to retrieve the information for the static files.

Gourav | Last updated: Oct 18, 2021 10:01AM UTC

I tried after disabling the extension, I got some interesting results such as getting various types of 200 responses. But I am still not able to solve the lab. I have repeated it several times.

Gourav | Last updated: Oct 18, 2021 10:06AM UTC

If I let the content length get updated then I get to see only images in the private window and after I recycle through all the images and then search for the API key, I am still not able to get it. I get only weiner account id with the API key result. This is same as my API key.

Hannah, PortSwigger Agent | Last updated: Oct 19, 2021 12:37PM UTC

Hi You will be looking for an API key associated with a static resource, for example, /resources/js/tracking.js You may need to repeat the steps a few times before you successfully retrieve the victim user's API key from the cache.

Gourav | Last updated: Oct 20, 2021 06:45PM UTC

I have tried it a lot of times. Towards the end I even stopped getting /resources/js/tracking/js file. And I have every other static, its not working for me.

Hannah, PortSwigger Agent | Last updated: Oct 21, 2021 09:58AM UTC

This is an Expert level lab, so it can be tricky. Keep trying and you should get there! I have tested this lab several times now and can confirm that it is working as expected.

Gourav | Last updated: Oct 25, 2021 11:14AM UTC

I have not been able to do it. I just don't get the desired response that the videos suggest. Burp search also gives me only one output the phrase "Your API Key" and this is my own get request for the account.

Hannah, PortSwigger Agent | Last updated: Oct 26, 2021 08:25AM UTC

Hi Could you drop us an email with some screenshots or a screen recording of how you're going about this lab?

Gourav | Last updated: Jan 09, 2022 05:19PM UTC

Where do I send the mail?

Hannah, PortSwigger Agent | Last updated: Jan 10, 2022 09:34AM UTC

Our email address is support@portswigger.net

Gourav | Last updated: Jan 13, 2022 10:21AM UTC

I will share the required details on the mentioned email.

You need to Log in to post a reply. Or register here, for free.