Burp Suite User Forum

Login to post

H2.CL request smuggling

Diego | Last updated: Mar 14, 2023 02:07PM UTC


Ben, PortSwigger Agent | Last updated: Mar 15, 2023 08:03AM UTC

Hi Diego, I have just run through this lab and it does appear to be solvable - see below: https://snipboard.io/iZ8LYw.jpg The lab itself is quite tricky, in that it involves quite specific timing to poison the connection immediately before the victim user's browser attempts to import a JavaScript resource. You might have to send your request numerous times before you hit the sweet spot for this particular lab.

You need to Log in to post a reply. Or register here, for free.