Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Cache key injection - expert lab allowing a simple solution

intrd | Last updated: Aug 03, 2021 11:45PM UTC

Hello guys, The hint for this lab is: "Solving this lab requires an understanding of several other web vulnerabilities. If you're still having trouble solving it after several hours, we recommend completing all other topics on the Web Security Academy first." But, after identifying the unkeyed parameter "utm_content", we can simply do a "GET /?utm_content='/><script>alert(1)</script>" until it's get cached on canonical link stopping the 302 redir, it will trigger the XSS on victim solving the lab (similar solution to "Lab: Web cache poisoning via an unkeyed query parameter"). I believe this is not correct based on the hard expected solution. Thank you.

Michelle, PortSwigger Agent | Last updated: Aug 04, 2021 10:20AM UTC

Thanks for the feedback :-) I've shown this to James and he agrees it looks suspiciously easy

James | Last updated: Jul 19, 2023 05:28PM UTC

Hi, Sorry to necro, but this still works to solve the lab, whereas the actual listed solution doesn't seem to work at all. James

Michelle, PortSwigger Agent | Last updated: Jul 20, 2023 02:21PM UTC

Hi There can sometimes be more than one way to solve a lab. We have checked the given solution, and we were also able to use that to solve it. Can you confirm the steps you're taking when you use the solution? Do you see the requests being cached? Are you using HTTP/1.1 or HTTP/2 to send the requests?

James | Last updated: Jul 21, 2023 10:55AM UTC

Hi, I just followed the steps listed, even copy/paste the code. It may have been an issue with HTTP/1.1 or 2 although not aware of it, but also found the Param Miner extension was stopping some of the labs being solved as well so maybe that as well.

Michelle, PortSwigger Agent | Last updated: Jul 21, 2023 12:13PM UTC

Hi When you have time, can you try the lab again with Param Miner disabled? I didn't have any extensions installed when I was testing it. If you're still having issues, please let me know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.