Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab Exploiting path delimiters for web cache deception - Victim not visiting the exploit page

Rick | Last updated: Aug 26, 2024 10:44AM UTC

Hello, the victim in the lab in the object does not seems to visit the exploit page when clicking on "Deliver exploit to victim button". I've experienced the same problem with multiple laboratory instances but it seems to never work. Following the access log: 2024-08-26 10:39:28 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:30 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:30 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:36 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:36 +0000 "GET /log HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:36 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:50 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:51 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:51 +0000 "GET /deliver-to-victim HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:53 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:53 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" 2024-08-26 10:39:56 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"

Ben, PortSwigger Agent | Last updated: Aug 27, 2024 08:34AM UTC

Hi Rick, Can you confirm which browser you are using when you attempt this particular lab? Out of interest, are you able to solve this lab if you use a normal version of Chrome?

Rick | Last updated: Aug 31, 2024 02:05PM UTC

Hi Ben, before today, I've tried without success with all the following browsers: - Chromium 128.0.6613.84 - Mozilla Firefox 129.0.1 - Portswigger Chromium 127.0.6533.88 I've retried the lab today and it worked with Firefox. I guess the victim automation was just not starting properly before this time, it shouldn't depend on the browser.

Brian | Last updated: Oct 05, 2024 02:25PM UTC

I am having this same issue with the same lab - using the burp browser. The previous Web Deception lab worked just fine a few mins ago and the user visited the exploit. In this lab there's no interaction. Tried Firefox and Chrome also

Brian | Last updated: Oct 05, 2024 03:32PM UTC

Ok, I just waited for the lab to expire again, and it worked next time

Brian | Last updated: Oct 05, 2024 03:41PM UTC

Ah, but the issue seems to return in the next lab again. So the only lab that worked today was the first one - where the simulated user accessed my exploit - after that they have not worked. Seems the only fix for me is to let the lab time out and try again..

Brian | Last updated: Oct 05, 2024 03:43PM UTC