Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Combining web cache poisoning vulnerabilities

Luca | Last updated: Aug 24, 2020 01:30PM UTC

Has anyone noticed an issue with Param Miner not able to find the headers required for this lab? Not sure if it's my Param Miner, my Burp, or the lab itself. I've tried by disabling nearly all the other extensions, but my Logger++ shows that after some requests, nothing else is sent. Sometimes it finds a header which is not really Unkeyed or in any case is not what we need (see the solution) The extension doesn't actually say it has completed its task, but it somehow just seems to hang. Burp 2020.8.1 updated just today.

Luca | Last updated: Aug 24, 2020 01:47PM UTC

Now I've removed and readded the Param Miner extension. I was able to "complete" a Guess Headers attack but still one of the two required headers was not found. Is it required to configure Param Miner in a specific way to find both?

Michelle, PortSwigger Agent | Last updated: Aug 24, 2020 03:22PM UTC

Which header were you able to find?

Luca | Last updated: Aug 24, 2020 09:55PM UTC

It finds X-Forwarded-Host but not the other one. I assume at least 10 people found both headers because the Solution becomes available after a lab is solved by 10 people, right?

Michelle, PortSwigger Agent | Last updated: Aug 25, 2020 10:20AM UTC

That's right, the solutions are only published once they have been solved by 10 people. What options have you selected in Param Miner? If you let me know I can take a look.

Luca | Last updated: Aug 25, 2020 10:46AM UTC

I left the default options you have when you have just installed the extension. It doesn't seem to find X-Original-URL for me. Would you mind to take a look when you have time? Param Miner is a great extension and much more "concrete" than backslash powered scanner which is based upon, but it has so many options and I'm not sure a Wiki for it exists.

Luca | Last updated: Aug 25, 2020 09:49PM UTC

For example, it would be nice to know what the following 3 options do and how they change Param Miner behaviour: "Add fcbz cachebuster" "Add dynamic cachebuster" "Add header cachebuster" and also what the canary is for. By the way, I'm not able to find the X-Forwarded-Host header for another lab as well. the Param Miner execution stopped with: Completed 2/3 and I'm not sure what it means :(

Michelle, PortSwigger Agent | Last updated: Aug 26, 2020 02:53PM UTC

In addition to the resources on the Academy, it's worth having a read of this and watching the presentation to help understand some of the terms you see in ParamMiner. https://portswigger.net/research/practical-web-cache-poisoning Also if you have something like the Logger++ extension installed you can have a look at the requests that are sent by extensions. Which was the other lab you were having issues with finding the X-Forwarded-Host header?

Luca | Last updated: Aug 27, 2020 09:10AM UTC

Hi Michelle, thank you for replying. The other lab is the very difficult - at least for me - "Internal cache poisoning"

Michelle, PortSwigger Agent | Last updated: Aug 27, 2020 03:20PM UTC

Thanks, we'll take a look

Luca | Last updated: Sep 15, 2020 01:23PM UTC

Unofficial documentation for Param Miner: https://github.com/nikitastupin/param-miner-doc

Luca | Last updated: Oct 03, 2020 01:26PM UTC

Both headers now found in this lab by the latest version of ParamMiner with default settings Using albinowaxUtils v0.13 Loaded Param Miner v1.25

Luca | Last updated: Oct 03, 2020 02:46PM UTC

X-Forwarded-Host now found for "Internal Cache Poisoning" as well

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.