Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting HTTP request smuggling to capture other users' requests

Motasem | Last updated: Sep 12, 2020 09:55AM UTC

when trying to login using the captured victim cookie it doesn't show SOLVED lab and stuck in "Invalid CSRF: token" message, even i have tried to insert "Cookie: victim-fingerprint=xxxx; session=xxxx; secret=xxxx" in the header but also it doesn't work! tried different browsers, used incognito, cleared browser's cache and cookies but unfortunately with the same result! HELP PLEASE!! the weird thing that i followed the same steps shown in the below video (Michael Sommer): https://youtu.be/lzpONjsQlXo

Michelle, PortSwigger Agent | Last updated: Sep 14, 2020 10:50AM UTC

Hi Have you been able to successfully get the whole of the victim's cookie to display in the blog post? Are you using the Intercept tab to edit the login request as in the video?

Motasem | Last updated: Sep 15, 2020 06:45PM UTC

Yes i have done, in the video he got "Invalid CSRF: token message" once then the lab solved but unfortunately in my case it stucks on Invalid CSRF error message.

Ben, PortSwigger Agent | Last updated: Sep 16, 2020 10:59AM UTC

Are you able to walk us through the steps that you have taken to see if we can offer any further guidance?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.