Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

have a problem with "Lab: URL normalization"

Behrad | Last updated: Aug 21, 2022 06:07AM UTC

Hi, In this lab I can not get the request to be cached and I get `X-cache: miss` on every request I send. when I use `pragma: x-get-cache-key` I can see that on every request I send there is a different origin header like `X-Cache-Key: /<img$$Origin=https://v2upui7.com` my whole request is this: ``` GET /<img+src=1+onerror=alert(1)> HTTP/1.1 Host: 0a0f00a4032a2d47c01c098e00a900e6.web-security-academy.net origin: apple.com pragma: x-get-cache-key Cookie: session=olkuG7Ym94uanQ6e4ZMjtzoyo9x6oEc7 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="104" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ```

Behrad | Last updated: Aug 21, 2022 06:09AM UTC

update: the `origin: apple.com` is not part of my request.

Ben, PortSwigger Agent | Last updated: Aug 23, 2022 08:05AM UTC

Hi Behrad, Just to clarify, you are referring to the following lab: https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-normalization If so, have you tried following the written solution?

Behrad | Last updated: Aug 28, 2022 06:17AM UTC

Hi, yes, I'm following the solution, but I can't get cache: hit at all.

Behrad | Last updated: Aug 28, 2022 06:19AM UTC