Burp Suite User Forum

Login to post

HTTP request smuggling to deliver reflected XSS - but there is no XSS

codeaddict | Last updated: Nov 22, 2022 06:57PM UTC

Hey! In the lab "Exploiting HTTP request smuggling to deliver reflected XSS", we are told that there is a reflect XSS in the userAgent header. Which I can't seem to find? The value of of the userAgent header is never injected on any page. If I for example send the following request: POST /post/comment HTTP/1.1 Host: 0ac70065035a66a7c00a859b00f90056.web-security-academy.net User-Agent: "/><script>alert(1)</script> csrf=V8sXW6KHb7LuFnk1nDC4Tuko2YJwyVvT&userAgent="/><script>alert(1)</script>&postId=3&comment=test&name=tes1t&email=test%40gmail.com&website=http://a.com The "/><script>alert(1)</script> should be injected and trigger an XSS, however, this does not work. No matter what you put into any userAgent field, it is never reflect onto any page. If I set the userAgent to "blahblah", it does not get injected anywhere. In the solution it says: "Inject an XSS payload into the User-Agent header and observe that it gets reflected", but I can't seem to get it to reflect. Is the lab broken? I am using latest version of Firefox as my browser. I did solve the lab by simply smuggeling the request in the userAgent header, however, why does this work?

Ben, PortSwigger Agent | Last updated: Nov 23, 2022 09:59AM UTC

Hi, The reflected XSS vulnerability is actually present in the GET request to view one of the blog posts rather than being present when you issue a POST request to add a comment to a blog post. The following couple of screenshots illustrate this (in the examples below I have visited the blog post with the ID of 4 i.e. the resulting request that I am using is GET /post?postId=4). The following screenshot shows that there is a hidden input on the page that appears to show the value of your User-Agent header: https://snipboard.io/qjc2eW.jpg The following screenshot shows that you can inject a XSS payload into the User-Agent header and confirm that it also gets reflected via the hidden input: https://snipboard.io/bpX87a.jpg

You need to Log in to post a reply. Or register here, for free.