Burp Suite User Forum

Create new post

Lab: Bypassing access controls via HTTP/2 request tunnelling - Not getting the desired response.

Gourav | Last updated: Jan 09, 2022 05:17PM UTC

Hi All, I am following the solution mentioned in the lab solution. In the last step when I change the :path to /admin, I get the following response, "HTTP/2 500 Internal Server Error Content-Type: text/html; charset=utf-8 Content-Length: 150 <html><head><title>Server Error: Proxy error</title></head><body><h1>Server Error: Received only 174 of expected 2428 bytes of data</h1></body></html>" And when I use something else in path such as /home or /administrator, I get the following response, "HTTP/2 404 Not Found Content-Type: application/json; charset=utf-8 Set-Cookie: session=b3H8XzevAZ5RHQVbxmVZE1gwpaEP5j9v; Secure; HttpOnly; SameSite=None Content-Length: 11 HTTP/1.1 40" I have tried the videos available on Youtube but I am unable to solve this lab. Please help.

Hannah, PortSwigger Agent | Last updated: Jan 12, 2022 01:29PM UTC

Hi Is it the final step that you are having issues with? Did you see the start of the tunnelled HTTP/1.1 response nested in the body of your main response when you used the "/login" path?

Diego | Last updated: Sep 20, 2022 02:02PM UTC

Blocked on the last step, I see HTTP/1.1 nidified but I still receive error server: received Only 174 of Expected 3247 Bytes of Data. Can you help me?

Hannah, PortSwigger Agent | Last updated: Sep 21, 2022 09:08AM UTC

Hi If you're on the last step, then it's expected to receive an error. Carlos should still be deleted, and the lab should be marked as solved. Please make sure that you are using HTTP/2.

Rvats | Last updated: Dec 05, 2022 09:42AM UTC

Same problem, HTTP/2 is enabled, no work is being done, no traffic is being tunneled. What is wrong on my part. How to get through this work if your solution is not relevant and does not work?

Hannah, PortSwigger Agent | Last updated: Dec 06, 2022 12:03PM UTC

Hi We've just checked this lab, and it is working as expected. Have you tried following along with a video solution instead? I found one that may be helpful here: https://www.youtube.com/watch?v=kg1aOiSvk6Q

Rvats | Last updated: Dec 07, 2022 04:10PM UTC

Hello, I am familiar with this video, I redid the work and all the steps 100500 times, the result is always the same: HTTP/2 500 Internal Server Error Content-Type: text/html; charset=utf-8 Content-Length: 150 <html><head><title>Server Error: Proxy error</title></head><body><h1>Server Error: Received only 174 of expected 2991 bytes of data</h1></body></html>

Rvats | Last updated: Dec 07, 2022 04:18PM UTC

This problem may be related to the TLS settings in the Project Options?

Rvats | Last updated: Dec 07, 2022 04:46PM UTC

Lab: Web cache poisoning via HTTP/2 request tunnelling HTTP/2 500 Internal Server Error Content-Type: text/html; charset=utf-8 Content-Length: 150 <html><head><title>Server Error: Proxy error</title></head><body><h1>Server Error: Received only 174 of expected 8188 bytes of data</h1></body></html>

Hannah, PortSwigger Agent | Last updated: Dec 08, 2022 11:59AM UTC

Did you change your :path pseudo header to "/login" instead, so that a shorter resource is returned? In step 9, you are expecting to receive this error message. Are you able to drop us an email at support@portswigger.net with some screenshots or a screen recording?

ANJOLAOLUWA | Last updated: May 19, 2023 02:26AM UTC

Hello I'm facing the same issue

Hannah, PortSwigger Agent | Last updated: May 22, 2023 10:58AM UTC

Hi I've just tested this lab and can confirm it is working as expected.

Grzegorz | Last updated: Jul 07, 2024 03:05PM UTC

hello, I am having the same issue. I have changed URL to just /post so the content-length is 27 - I am getting response body: HTTP/1.1 400 Bad Request C It is probably coming from the internal service on /admin. Here you can find souce code of my exploit: https://github.com/grzegorzSowa3/portswigger-academy-pocs/blob/main/Bypassing-access-controls-via-HTTP-2-request-tunnelling.py I have no idea what is causing this, could you please help me find a solution?

Grzegorz | Last updated: Jul 07, 2024 03:16PM UTC

And the response from back-end server has 174 bytes so there is no request on site with proper content-length to read more of it.

Hannah, PortSwigger Agent | Last updated: Jul 08, 2024 02:59PM UTC

Hi Have you tried following along with the provided solution? If so, which number step is causing the issue for you?

Grzegorz | Last updated: Jul 09, 2024 11:04AM UTC

Hi, yes I have tried. I am having this problem at step 9/10, it doesn't matter if I use /login path, because I receive only 174 bytes of response (400 Bad Request). The exploit I linked best describes the whole process.

Hannah, PortSwigger Agent | Last updated: Jul 10, 2024 08:56AM UTC

I can confirm that the lab is working as expected and is solvable using the provided solution. It does appear that your "smuggle_head" request is using HTTP for the scheme rather than https. If you change that, does it make a difference?

Grzegorz | Last updated: Jul 10, 2024 02:33PM UTC

No, sadly I still get 400

Ben, PortSwigger Agent | Last updated: Jul 10, 2024 05:12PM UTC

Hi Grzegorz, Is it possible for you to email us at support@portswigger.net and include some screenshots of the exact steps that you are carrying out so that we can see this more clearly?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.