Burp Suite User Forum

Create new post

H2.CL request smuggling

Diego | Last updated: Mar 14, 2023 02:07PM UTC


Ben, PortSwigger Agent | Last updated: Mar 15, 2023 08:03AM UTC

Hi Diego, I have just run through this lab and it does appear to be solvable - see below: https://snipboard.io/iZ8LYw.jpg The lab itself is quite tricky, in that it involves quite specific timing to poison the connection immediately before the victim user's browser attempts to import a JavaScript resource. You might have to send your request numerous times before you hit the sweet spot for this particular lab.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.