Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

LAB: Exploiting HTTP request smuggling to capture other users' requests support

s0mbr4 | Last updated: Jul 12, 2020 05:12PM UTC

Hi, Having trouble with the HTTP Request Smuggling lab "Exploiting HTTP request smuggling to capture other users' requests". I can get the user request to appear in the blog post comments and have been carefully incrementing the content-length to try and see the session cookie. I can see my own session cookie but with the user requests, I can't get near to the cookie header, let alone the session cookie itself. The user request contains a really long user-agent: (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36) so I can't set a content-length that will reveal the cookie header. If the content length is too long (set to around 570) causes a server error. Is there a chance that using Firefox (and having a long user agent) is an issue with this lab?

Uthman, PortSwigger Agent | Last updated: Jul 13, 2020 08:59AM UTC

The labs are designed to be quite challenging but you should have no issue completing this in Firefox. Can you try again, please? Are you using the official solution or a video solution?

s0mbr4 | Last updated: Jul 25, 2020 11:39AM UTC

Hi, I've tried with both. I have slowly incremented the content-length of the smuggled request by 10, reaching a maximum around 570. Any higher causes an internal server error. The maximum output i get from the user's request is: testGET / HTTP/1.1 Host: ac631fe41fe2136180512a3b001400c4.web-security-academy.net Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-M I can see my own session cookie when my request is posted but as you can see, the header doesn't appear.

Uthman, PortSwigger Agent | Last updated: Jul 27, 2020 08:25AM UTC

Can you please send us an email with further information and screenshots?

Franko | Last updated: Nov 11, 2020 12:25PM UTC