Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab for "Web cache poisoning with an unkeyed header" not completing despite correct (?) solution

Andrew | Last updated: Jan 06, 2022 07:41AM UTC

Hi, Basically as the title says I have done the lab for "Web cache poisoning with an unkeyed header" and succeeded in getting the alert box to pop up in my browser. However despite this no matter what I do the lab itself will not solve. I looked at the solution and video attached on the lab page and did them step by step but still the same result. I also made sure I am not using any type of cachebuster and instead poisoning the raw "/" path (and to verify this I made sure not to proxy through Burp when re-accessing the site after poisoning). Here is a screenshot of the request I am sending in Burp: https://i.ibb.co/T4Btygr/web-cache-001.png Here is a screenshot of the response showing my poisoned path: https://i.ibb.co/7kHLNV7/web-cache-002.png Here is a screenshot of the alert box generated when accessing the lab URL (this was done from a different browser and not proxied through Burp just to make sure it wasn't some issue like Burp automatically adding cachebuster params etc): https://i.ibb.co/8sXjknw/web-cache-003.png Here is a screenshot of the source when accessing the lab URL in the browser: https://i.ibb.co/kKMcp4J/web-cache-004.png Finally, here is a screenshot of my exploit-server file settings, just incase there is an issue there: https://i.ibb.co/1JcCwZm/web-cache-005.png I have tried many different things but just cannot get it working. If there is any help you can give I would be very grateful! Best Regards, AC

Ben, PortSwigger Agent | Last updated: Jan 06, 2022 09:44AM UTC

Hi, I have just run through this particular lab and was able to solve it using the solution so it is, at least, working as intended for some users. From the screenshots that you have provided, I cannot immediately see anything obviously wrong with what you are trying to do - just to confirm, are you sending your request more than once just in case the victim user is not visiting the page whilst the cache is poisoned?

Andrew | Last updated: Jan 06, 2022 02:31PM UTC

Hi, Thanks for the response! Yes that is correct. I even set up an intruder session to continuously resend the payload just to make sure that the user would be guaranteed to hit at some point. However I just retried the entire thing now and it worked for some reason. Wish I could tell the cause but I'm not too sure as I did it the exact same way as I did before. I'm wondering if somehow my session got messed up when attempting the lab and that that might have been the cause of the issue. Anyway, thanks a lot for your help!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.