Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

HTTP request smuggling to deliver reflected XSS - but there is no XSS

Martin | Last updated: Nov 22, 2022 06:57PM UTC

Hey! In the lab "Exploiting HTTP request smuggling to deliver reflected XSS", we are told that there is a reflect XSS in the userAgent header. Which I can't seem to find? The value of of the userAgent header is never injected on any page. If I for example send the following request: POST /post/comment HTTP/1.1 Host: 0ac70065035a66a7c00a859b00f90056.web-security-academy.net User-Agent: "/><script>alert(1)</script> csrf=V8sXW6KHb7LuFnk1nDC4Tuko2YJwyVvT&userAgent="/><script>alert(1)</script>&postId=3&comment=test&name=tes1t&email=test%40gmail.com&website=http://a.com The "/><script>alert(1)</script> should be injected and trigger an XSS, however, this does not work. No matter what you put into any userAgent field, it is never reflect onto any page. If I set the userAgent to "blahblah", it does not get injected anywhere. In the solution it says: "Inject an XSS payload into the User-Agent header and observe that it gets reflected", but I can't seem to get it to reflect. Is the lab broken? I am using latest version of Firefox as my browser. I did solve the lab by simply smuggeling the request in the userAgent header, however, why does this work?

Ben, PortSwigger Agent | Last updated: Nov 23, 2022 09:59AM UTC