Burp Suite User Forum

Create new post

Lab: HTTP/2 request smuggling via CRLF injection

Georg | Last updated: Apr 24, 2023 10:14AM UTC

Hello, I am doing the 'Lab: HTTP/2 request smuggling via CRLF injection', but for some reason, the GET request always contains a session cookie that is truncated (consists only of four characters); the full session cookie never shows, so I cannot resolve the lab. Has anyone run into this ? I have tried several content length values, no difference.

Ben, PortSwigger Agent | Last updated: Apr 24, 2023 12:53PM UTC

Hi Georg, I have just run through this particular lab and was able to solve it using the solution provided so it does appear to be working as expected. Are you able to share some details of the request that you are sending (details of the body and the request header that you have added would be useful). What Content-Length values have you tried? If it is easier to send these details via email (where you can attach screenshots) then please feel free to email us at support@portswigger.net.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.